ClawHub

Album Cover Skill

v1.5.7

Generate ai album cover generator images with AI via the Neta AI image generation API (free trial at neta.art/open).

0· 149·0 current·0 all-time
by@omactiengartelle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code and README: the script sends prompts to the Neta/TalesOfAI image API and returns a direct image URL. One minor inconsistency: registry metadata listed no required env vars, but package.json and the script require a NETA_TOKEN (or --token). Functionality requested (API token) is appropriate for the stated purpose.
Instruction Scope
SKILL.md and albumcover.js instruct only running the script with a prompt and token. The runtime only reads the prompt, optional ref UUID, and the NETA_TOKEN (or --token), then calls the external API and prints an image URL. It does not read other files, system config, or unrelated environment variables, nor does it send data to unexpected endpoints.
Install Mechanism
No install spec is provided (instruction-only). The package includes a single small JS script and README; nothing is downloaded from untrusted URLs or installed automatically. Low install risk.
Credentials
The only credential required is a NETA_TOKEN, which is proportionate to contacting the Neta/TalesOfAI API. However, there is a metadata inconsistency: the registry metadata claimed 'Required env vars: none' while package.json declares NETA_TOKEN as required and the code enforces it. Users should be aware the token is required and will be sent to https://api.talesofai.com.
Persistence & Privilege
The skill is not marked always:true, does not request persistent system privileges, and does not modify other skills or system settings. It runs on-demand and only makes outbound API calls to the image service.
Assessment
This skill appears to do what it says: it sends your text prompt (and an optional reference UUID) to the Neta/TalesOfAI image API and prints a returned image URL. Before installing: (1) Be prepared to provide a NETA_TOKEN (pass with --token or set NETA_TOKEN); the token will be sent to https://api.talesofai.com. (2) Verify you trust the owner/source (the registry metadata omitted the required env var even though package.json and the script require it). (3) Avoid supplying any high-privilege or reusable credentials—use a dedicated API token for this service. (4) If you need higher assurance, review the included albumcover.js yourself or run it in an isolated environment; the script does not read other local files or exfiltrate data beyond the image API.
albumcover.js:28
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk970q1rmmc1174pxpeemgw6s6n83pnqx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments