Back to skill
Skillv1.0.0
ClawScan security
Dark Academia Art Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 12:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and runtime instructions are coherent with its stated purpose (creating images via the Neta/TalesOfAI API) and do not request unrelated credentials, installs, or file access.
- Guidance
- This skill appears to do what it says: it sends your prompt and a provided Neta token to api.talesofai.com and returns an image URL. Before installing or running: (1) confirm you trust the Neta / TalesOfAI service and its privacy/usage terms, (2) avoid passing secrets on shared command lines (CLI tokens can be visible to other local users via process lists) — prefer a secure mechanism if available, (3) inspect the small included script (it's readable and only performs API calls), and (4) if you need stronger isolation, run it in a disposable container or limited environment.
Review Dimensions
- Purpose & Capability
- okName/description claim image generation via Neta; the included Node script posts prompts and a token to api.talesofai.com and returns an image URL. No unrelated credentials, binaries, or system access are requested. README references neta.art/open and the code uses api.talesofai.com (the README explains they are the same service), which is consistent.
- Instruction Scope
- okSKILL.md and README instruct running the Node script with a --token flag and optional flags; the script only constructs JSON, sends it to the external API, polls for results, and prints a URL. It does not read arbitrary files, environment variables, or other system state. Network I/O to the image API is expected for this purpose.
- Install Mechanism
- okNo install spec is provided; this is an instruction-only skill with an included script. Nothing is downloaded or written during installation by the skill metadata itself.
- Credentials
- okNo environment variables or credentials are declared; the script requires a user-supplied Neta token passed as a CLI flag, which is appropriate for the API usage and limited in scope.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills or system settings, and is user-invocable only. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.