Back to skill
Skillv1.0.0
ClawScan security
Film Photo Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 7:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (calling the Neta / api.talesofai.com image API with a user-provided token) and request no unrelated credentials or system access.
- Guidance
- This skill appears coherent and limited to calling the Neta image API with a user-supplied token. Before installing, confirm you trust the Neta/api.talesofai.com service and the skill author (source is listed as unknown). Do not include secrets or personally identifying data in prompts you send to the remote API. Verify your token permissions and revoke it if you notice unexpected usage. If you require higher assurance, run the included script in an isolated environment and inspect traffic (or substitute your trusted endpoint) before using with sensitive data.
Review Dimensions
- Purpose & Capability
- okName/description say it generates film-style images via the Neta API; the code and README consistently call api.talesofai.com and require a Neta API token passed as --token. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md instructs running the included Node script with a token and prompt. The script only sends prompt/size/ref to the remote API and polls for results; it does not read local files, environment variables, or other system state beyond process.argv.
- Install Mechanism
- okThere is no install spec (instruction-only install). A small JS file is included; no downloads, external installers, or archive extraction occur. The package.json is minimal.
- Credentials
- okThe skill requires a single API token (provided via CLI flag). No other secrets, unrelated service credentials, or config paths are requested.
- Persistence & Privilege
- okalways is false; the skill does not modify other skills or system settings and does not request persistent presence or elevated privileges.