Back to skill
Skillv1.0.0
ClawScan security
Caricature Portrait Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 10:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code and instructions consistently implement an image-generation client that calls the Neta/api.talesofai.com service and only requires a user-supplied API token; nothing in the package appears disproportionate or unrelated to its stated purpose.
- Guidance
- This skill appears coherent and implements a straightforward client for Neta/api.talesofai.com. Before installing: (1) Obtain your Neta token from the official site and verify you trust that provider and its privacy/usage terms. (2) Note the script expects the token as a --token command-line argument; passing secrets on the command line can expose them to other users via process listings on multiuser systems — prefer using a secure mechanism (temporarily set a protected env var or use a wrapper) if that matters. (3) Review any prompts you send — images and text prompts are transmitted to the external API. (4) If you need stronger assurance, run the script in a sandbox or inspect network traffic to confirm it only talks to the stated API endpoints (api.talesofai.com).
Review Dimensions
- Purpose & Capability
- okName/description match the code and README: the script posts a prompt to api.talesofai.com (Neta) to generate images. There are no unrelated credentials, cloud services, or binaries requested.
- Instruction Scope
- okSKILL.md and README simply instruct running the Node script with a Neta token and optional flags (size, ref). The runtime instructions do not ask the agent to read arbitrary files, environment variables, or contact other endpoints beyond the stated API.
- Install Mechanism
- okNo install spec is provided (instruction-only install), and the bundle contains a small Node script and package.json. There are no downloads from untrusted URLs or extract/execute steps.
- Credentials
- noteNo environment variables are declared in metadata, and the script expects a token via the --token CLI flag. That is proportionate to the stated purpose, but the registry metadata does not advertise the required credential (token) as a required env var — the token is passed on the command line instead of an env var.
- Persistence & Privilege
- okalways is false, the skill does not request persistent system-level privileges or modify other skills/configs. It only issues outbound HTTPS requests to the image API.