Horse Sticker Maker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The app matches its sticker-maker purpose, but it deploys public AI endpoints that use undeclared Google/Gemini API keys without built-in access controls.
Review before installing or deploying. If you use it, configure restricted Google/Gemini API keys, add authentication and rate limiting to the API routes, disclose that user input is sent to AI providers, and confirm the Vercel production deployment settings instead of blindly using --yes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may deploy the app without realizing it needs provider API keys that can incur quota or billing usage.
The code requires a server-side Google API key, while the registry metadata says there are no required env vars or primary credentials. This under-discloses credential requirements and scope.
const API_KEY = process.env.GOOGLE_API_KEY! const BASE = process.env.GOOGLE_API_BASE || 'https://aiplatform.googleapis.com/v1/publishers/google/models'
Declare the required API keys, document the needed scopes and billing impact, and tell users how to restrict keys to the intended Google/Gemini APIs.
If deployed publicly, visitors or bots could repeatedly call the endpoint and consume the deployer's API quota or generate costs.
The route accepts public POST input and triggers provider image generation using the server API key. The provided route code shows input length checks, but no authentication, rate limiting, quota control, or abuse protection.
export async function POST(req: NextRequest) {
...
const imageDataUrl = await geminiGenerateImage(prompt)
return NextResponse.json({ image: imageDataUrl })Add authentication, rate limiting, quotas, and abuse monitoring before production deployment, or keep the app private.
Names or blessing text entered into the app may be sent to Google/Gemini for generation.
User-provided names are incorporated into prompts sent to an external AI provider. This is purpose-aligned, but users should know their input leaves the app server.
const { name } = await req.json()
...
const textRaw = await geminiGenerate(textPrompt)Disclose the external AI data flow in the app UI and privacy notes, and advise users not to enter sensitive personal information.
Users' browsers depend on the CDN-served script behaving as expected.
The client loads third-party JavaScript from a CDN at runtime. This is purpose-aligned for GIF generation, but no subresource integrity or local vendoring is shown.
src="https://cdn.jsdelivr.net/npm/gif.js@0.2.0/dist/gif.js"
Vendor the script locally or add integrity checking where possible, and review npm dependencies before deployment.