Skillv1.0.0

ClawScan security

Recraft AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, install steps, and required RECRAFT_API_TOKEN align with its stated image-generation and transformation purpose and do not request unrelated credentials or suspicious access.
Guidance: This skill appears to do what it claims, but consider these practical checks before installing: (1) Treat your RECRAFT_API_TOKEN like a secret—anyone with it can use your Recraft account and credits. Use a token with minimal permissions if possible. (2) Confirm you trust https://recraft.ai and that the endpoint (BASE_URL in the script is https://external.api.recraft.ai/v1) is expected for your account. (3) Ensure runtime dependencies (Python 3.10+, requests) are available in the environment where 'uv run' will execute. (4) Because the script uploads local image files to the Recraft service, avoid sending images containing sensitive personal data unless you accept that they will be transmitted to Recraft. (5) If you want extra caution, run the script in an isolated environment/container and inspect traffic (or DNS) to verify endpoints before using production tokens.

Purpose & Capability: okName/description (image generate/vectorize/upscale/transform) match the included script and required items: the script calls a Recraft API, requires an API token, and expects a 'uv' runner. No unrelated services or credentials are requested.
Instruction Scope: okSKILL.md and the script limit actions to: sending image files or prompts to the Recraft API, saving returned base64 image data to a user-specified path, and printing a MEDIA: line. The instructions do not ask the agent to read unrelated files, collect extra environment data, or transmit data to non-Recraft endpoints.
Install Mechanism: noteInstall uses a Homebrew formula for 'uv', which is a low-risk, standard package install. The Python script lists requests as a dependency but the skill does not include an automated pip install step; this is an operational gap (not a security problem) users should be aware of so runtime dependencies are satisfied.
Credentials: okOnly RECRAFT_API_TOKEN is required and declared as primaryEnv. The script reads that token and no other environment variables or unrelated credentials. The token is proportionate to the declared API usage.
Persistence & Privilege: okSkill is not configured as always:true and does not request persistent system-wide configuration changes or modify other skills. It runs on-demand and uses only its own script and environment token.