Back to skill
Skillv3.0.0
ClawScan security
Storybook Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 10:15 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (using the AnyGen CLI with an AnyGen API key to generate visual stories); nothing requested is disproportionate or unrelated.
- Guidance
- This skill legitimately wraps the AnyGen CLI and needs your AnyGen API key (or a browser login) to operate. Before installing: confirm you trust AnyGen (www.anygen.io) because content and assets will be sent to that service; be aware the npm package will install a binary on your system; the CLI may store auth tokens locally after login. Only provide an API key with permissions you are comfortable granting, and review AnyGen's privacy/usage policy. If you don't trust the AnyGen publisher, do not install or share your API key.
Review Dimensions
- Purpose & Capability
- okName/description: visual story generation. Declared requirements: anygen binary and ANYGEN_API_KEY. Install: @anygen/cli that provides anygen. These align with the stated purpose.
- Instruction Scope
- okSKILL.md only instructs use of the AnyGen CLI, how to authenticate (API key or browser login), and to follow an anygen workflow. It does not request unrelated files, system paths, or unrelated credentials.
- Install Mechanism
- noteInstall uses a Node package (@anygen/cli) which is an expected, traceable mechanism for providing the anygen CLI. This is moderate-risk relative to an instruction-only skill (because it writes a binary to disk), but is proportionate for a CLI integration.
- Credentials
- okOnly ONE credential (ANYGEN_API_KEY) is required and is the declared primaryEnv. No unrelated secrets, config paths, or additional tokens are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated platform privileges. It does direct use of a third-party CLI which may store auth locally, but the skill itself does not request broader system persistence.