Back to skill
Skillv1.0.0
ClawScan security
Dnd Character Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 5:42 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and network usage are consistent with its stated purpose (generating images via the Neta/TalesofAI API) and it does not request unrelated credentials or privileged installation.
- Guidance
- This skill appears to be what it claims: a CLI that sends your text prompt and a provided Neta/TalesofAI token to api.talesofai.com and prints an image URL. Before installing or running: 1) Only provide a Neta token you trust and avoid reusing sensitive tokens (do not pass unrelated AWS/GitHub/Slack tokens). 2) Verify you trust the skill owner/source—this package contains executable JS (dndcharacter.js) which will run locally. 3) Confirm api.talesofai.com is the intended endpoint for your token (SKILL.md mentions neta.art/open as the signup page and README maps that to api.talesofai.com). 4) If you need stronger assurance, inspect the script locally (it’s short) to confirm it does nothing beyond calling the API and printing a URL. There are no hidden network destinations or extra credential accesses observed.
Review Dimensions
- Purpose & Capability
- okName/description (D&D character image generation) align with the implementation: the script posts prompts to api.talesofai.com and polls for an image URL. The README and SKILL.md correctly reference the Neta service. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okRuntime instructions are limited and explicit: run node dndcharacter.js "prompt" --token YOUR_TOKEN. The SKILL.md does not instruct reading unrelated files or secrets. The code only uses the provided token and prompt, and returns/prints a direct image URL.
- Install Mechanism
- noteThere is no install spec in registry metadata (instruction-only style), but the package includes source files (dndcharacter.js and package.json). This is not a security red flag by itself, but users should note the skill carries code (not purely prose) that will be executed locally when run.
- Credentials
- okThe skill requires a single API token supplied via a CLI flag (or optionally via an env var as suggested in README). No other credentials, config paths, or secrets are requested. This is proportionate to the stated API usage.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It runs as a one-off command-line script and exits after printing the image URL.