Back to skill
Skillv1.0.0
ClawScan security
90s Anime Art Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 1:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and network calls are consistent with a 90s-anime image generator that uses the Neta/TalesOfAI image API; nothing requested or installed appears disproportionate or unrelated to that purpose.
- Guidance
- This skill appears to do what it says: it sends your prompt to an image-generation API (api.talesofai.com / neta.art) and prints a resulting image URL. Before installing or running it, verify the token source (https://www.neta.art/open/) and prefer passing tokens via a secure mechanism (environment variable or protected config) rather than on the command line on multi-user systems. If you want stronger assurance, check the publisher identity (owner ID / repository) since the skill's homepage is unknown; otherwise the code here is self-contained and consistent with the description.
Review Dimensions
- Purpose & Capability
- okName/description promise (generate 90s-style images) aligns with the included code and README: the script sends prompts to an image-generation API and returns an image URL. No unrelated credentials, config paths, or unrelated binaries are requested.
- Instruction Scope
- noteSKILL.md and README instruct running the bundled node script and passing a Neta API token via --token. The instructions do not request reading other files or credentials. Minor note: passing tokens on the command line exposes them in process listings on shared systems (general CLI caution).
- Install Mechanism
- okThere is no remote download/install step; the package is distributed as source files in the skill bundle. The SKILL.md suggests adding via npx/clawhub, which is consistent with a published skill. No extracted archives or remote installers are used.
- Credentials
- noteThe only secret the skill needs is the Neta API token provided at runtime via --token; that is proportionate. One usability/security note: the token is passed as a CLI flag (visible to other local users via process listings) rather than read from an environment variable or config file — this is not malicious but is less private.
- Persistence & Privilege
- okThe skill does not request permanent inclusion (always: false), does not modify other skills or system configuration, and does not claim elevated privileges.