Back to skill
Skillv1.0.2
ClawScan security
Palmistry Ai Palm Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose: it requires a single API key and curl to send user palm images to ToolWeb's API and return a reading — the main risks are privacy and billing (images are sent to an external service), but nothing in the package is disproportionate or mismatched with the description.
- Guidance
- This skill sends user palm photos and metadata to https://portal.toolweb.in and requires you to provide an API key (TOOLWEB_API_KEY). Before installing, verify the legitimacy and privacy policy of portal.toolweb.in, understand that image data will leave your environment (may be stored and billed), consider testing with non-sensitive images, and ensure the API key you provide has appropriate scope and billing limits. Also confirm the exact API endpoint/path with the provider (SKILL.md shows slightly inconsistent path names) and decide whether you are comfortable with a remote service doing the image analysis.
Review Dimensions
- Purpose & Capability
- okName/description (AI palm reader) matches requested resources: a single TOOLWEB_API_KEY and curl are appropriate for an instruction-only skill that calls an external API. No unrelated credentials or binaries are requested.
- Instruction Scope
- noteInstructions consistently require converting the user-provided palm image to base64 and POSTing it to the ToolWeb endpoint; they explicitly forbid local inference and mandate using the remote API. This is consistent with the described behavior but has privacy implications because raw images are sent to an external service. Minor inconsistency in the SKILL.md around the exact API path naming (several variants shown) should be clarified but does not change core behavior.
- Install Mechanism
- okNo install spec or third-party downloads — instruction-only skill. This is the lowest-risk install model; nothing is written to disk by the skill itself beyond what the agent would normally do when handling an image.
- Credentials
- noteOnly TOOLWEB_API_KEY is required (declared as primary), which is proportionate for a hosted API. However, the API will receive users' palm images and session metadata (sessionId, userId, timestamp) — users should expect their images and associated metadata to be transmitted and potentially stored/billed by the service.
- Persistence & Privilege
- okalways is false, no config paths requested, and the skill does not request persistent system-level privileges. It does require an API key but does not modify other skills or system-wide settings.