ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

The Style Index

v1.0.0

Manage your wardrobe, get AI outfit suggestions, and virtually try on clothes before you buy. Powered by The Style Index agent API.

0· 60·0 current·0 all-time
by@jjc7951
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md endpoints and flows (wardrobe, outfits, try-on, consent, auth/register/link) match the stated purpose (virtual wardrobe and try-on). However, the skill expects an agent API key to be obtained and stored, yet the registry metadata lists no required credential or primaryEnv: the declared metadata is incomplete and inconsistent with the runtime instructions.
Instruction Scope
Instructions are specific and scoped to the service: registering/linking an email, calling the Style Index API, uploading user photos, generating try-on images, and issuing magic web links. The agent is directed to transmit user photos and profile images to https://thestyleindex.app, which is expected for this feature but is sensitive (personal images). There is no instruction to read unrelated local files or other system credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. That reduces risk from arbitrary installs, but also means there is no code to audit — runtime behavior depends entirely on the agent following these network calls.
!
Credentials
The skill requires an agent API key (agent_key: tsi_...) per the SKILL.md, but the registry lists no required env vars or primary credential. Requiring and persisting a third-party API key (which grants the external service access to uploaded photos and wardrobe data) is significant and should have been declared. No other unrelated secrets are requested.
Persistence & Privilege
The skill asks the agent to 'store the agent_key securely' and implies consent persistence across sessions. The skill itself does not request always:true or modify other skills, but you should confirm how and where the agent/platform will persist that key and whether it can be revoked or scoped.
What to consider before installing
What to consider before installing: 1) The skill will ask for the user's email and an agent API key (tsi_...) and will upload and send user photos to https://thestyleindex.app for processing — these are sensitive operations. 2) The registry metadata does not declare this API key or how it will be stored; ask the publisher how the key is stored, whether it is saved to platform secrets, and how to revoke it. 3) Verify the service domain, privacy policy, and how long images are retained; avoid uploading highly sensitive photos until you trust those policies. 4) If you want to test, consider using a throwaway account/email and non-sensitive images. 5) Because this is instruction-only (no code to audit), rely on the service's reputation and ability to revoke keys; if that information is unavailable, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cghj17waa28q93aqyy8c31h83ran1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments