Back to skill
Skillv0.1.0
ClawScan security
Bing Wallpaper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 5:15 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill does what it says (calls a web API to fetch the Bing wallpaper) and its requirements are proportional, but it relies on an external third‑party API endpoint rather than an official Microsoft/Bing endpoint, which is worth noting.
- Guidance
- This skill is internally consistent and lightweight, but it queries a third‑party API (https://60s.viki.moe) rather than the official Bing service. That means the third party could log requests, see client IPs, or alter returned content. Before installing, decide whether that data flow is acceptable: 1) prefer an official Microsoft/Bing API if you need strong provenance/privacy; 2) inspect and test the endpoint in a sandbox to confirm behavior and output formats (binary image vs. JSON/markdown); 3) ensure the agent will handle binary stdout safely (large downloads) and won't inadvertently forward binary data to unintended destinations; and 4) if you require stronger assurances, ask the author for the reason this endpoint is used or replace the URL with a trusted source.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description match its behavior: the script fetches the Bing wallpaper. However, it uses a third‑party API (https://60s.viki.moe/v2/bing) instead of an official Microsoft/Bing endpoint; that choice is not explained in the SKILL.md and may have privacy/trust implications.
- Instruction Scope
- okSKILL.md instructs the agent to run scripts/wallpaper.sh with an optional encoding argument. The script only performs an HTTP GET to the listed API and prints the response to stdout; it does not read local files, environment variables, or other system state.
- Install Mechanism
- okThere is no install step (instruction-only plus a small included script). Nothing is downloaded or written to disk by an installer; the only runtime action is an outbound HTTP request performed by curl.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths, and the script does not access any. The level of requested access is minimal and proportional to the stated function.
- Persistence & Privilege
- okalways is false and the skill does not request persistent privileges or modify other skills/settings. It has no elevated persistence or broad system presence.