ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comic To Realistic

v1.0.3

Convert comic or anime character images into high-quality, realistic portraits while preserving key facial features and expressions.

0· 100·0 current·0 all-time
byPatronum@maweis1981
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, README, SKILL.md, and manifest all describe an image-to-image workflow against https://api.ngmob.com, which is coherent with a comic→realistic transformation service. However the author/source are unknown and there is no homepage; the manifest points to a third-party API (ai.ngmob.com/api/v1/workflows/...) rather than a well-known vendor, which reduces transparency.
Instruction Scope
SKILL.md instructs the agent to accept a publicly accessible image URL and a prompt, and to call the external API for image-to-image generation. The instructions do not attempt to read local files, shell history, or unrelated environment data. They do reference product and API base URLs and include prompt guidance; scope remains limited to the stated task.
Install Mechanism
There is no install spec and no code files executed by the platform — this is instruction-only. That minimizes install-time risk (nothing is downloaded or written by an installer).
!
Credentials
The manifest includes an Authorization header using 'Bearer {{API_KEY}}' and a polling flow that also uses {{API_KEY}}, but the registry metadata and SKILL.md declare no required environment variables or primary credential. This mismatch is an incoherence: calling the remote API legitimately requires an API key, but the skill does not declare that requirement or explain how the key is provided. That gap could lead to unexpected prompts for credentials or silent failures. Also the manifest posts image URLs to a third-party service — users should consider privacy of images uploaded.
Persistence & Privilege
The skill is not always-on and does not request elevated platform privileges. It does not attempt to modify other skills or system configuration. Autonomous invocation is permitted (default) but this is normal and not by itself concerning.
What to consider before installing
This skill appears to do what it says (use an external API to convert anime/comic images to realistic portraits) but has an important inconsistency: the manifest expects a Bearer API_KEY while the skill metadata and SKILL.md do not declare any required credentials or tell you where to obtain one. Before installing or using the skill: 1) Ask the publisher for a homepage, privacy policy, and where the API_KEY should come from; verify the ai.ngmob.com endpoint is trustworthy. 2) Understand that submitting image URLs (especially photos of real people) sends data to a third-party service—check retention, sharing, and consent. 3) Only supply an API key created for this service and with minimal permissions; do not reuse high-privilege or long-lived credentials (e.g., cloud provider keys). 4) If you are uncomfortable with an unknown provider, decline installation or request the author to declare required env vars explicitly (API_KEY) and provide a source/terms of service. Additional evidence (author contact, homepage, or documentation) would raise confidence toward benign; absence keeps this suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739t3ns7gkh45erysc5e9p1x83yraa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments