Skillv1.0.0

ClawScan security

Recraft AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 8:59 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested binaries, environment variable, network endpoints, and runtime instructions all line up with its stated purpose of calling the Recraft image API.
Guidance: This skill appears to do what it claims: it uploads your provided images (and prompts) to Recraft's API and writes the returned image bytes to disk. Before installing, confirm you trust Recraft and its domain (the script calls https://external.api.recraft.ai/v1). You will need a valid RECRAFT_API_TOKEN (the tool will use your account credits). Also ensure the runtime has Python (>=3.10) and the 'requests' library installed — the install spec only installs the 'uv' brew formula and not Python packages. If you have privacy or billing concerns, review Recraft's policy because images you send will be transmitted to their API. Finally, if you want to be extra cautious, inspect or run the bundled script in a restricted environment (no extra secrets mounted) before giving it network access or your API token.

Review Dimensions

Purpose & Capability: okName/description (image generation/editing via Recraft) match the code and SKILL.md. The script calls Recraft endpoints and requires a RECRAFT_API_TOKEN, which is appropriate for this purpose. The required binary 'uv' is used in the provided run examples.
Instruction Scope: okSKILL.md only instructs the agent to set RECRAFT_API_TOKEN, run the bundled script via 'uv', supply input image paths, and save output files. The script reads only the provided input files and writes the specified output path, and posts data to Recraft API endpoints declared in the code. It does not instruct collecting unrelated system files or secrets.
Install Mechanism: noteInstall uses a homebrew formula 'uv' which is a normal package install. No arbitrary downloads or extracts are present. Note: the Python script lists a dependency on 'requests' in a comment header but the install spec does not install Python dependencies; the environment running the script must already have the required Python runtime and libraries.
Credentials: okOnly RECRAFT_API_TOKEN is required and declared as the primary credential. That single API token is appropriate and proportional for a wrapper around Recraft's API; no unrelated credentials or system config paths are requested.
Persistence & Privilege: okThe skill is not force-included (always:false) and does not request persistent elevated privileges or modify other skills. It can be invoked autonomously (platform default), which is expected for a user-invocable integration and not by itself suspicious.