Skillv1.0.0

ClawScan security

Gothic Portrait Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 8, 2026, 11:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, README, and runtime instructions are consistent with a simple CLI wrapper around the Neta (api.talesofai.com) image-generation API and do not request unrelated credentials or privileged system access.
Guidance: This skill appears to be a straightforward CLI wrapper that sends prompts to api.talesofai.com and returns an image URL. Before installing: 1) Be aware the script expects your Neta API token via --token; passing secrets on the command line can expose them in your shell history and process list—prefer using temporary tokens or a safer secret mechanism if possible. 2) Verify you obtained the token from the official Neta site (https://www.neta.art/open/) and that api.talesofai.com is the expected endpoint for your account. 3) The script performs polling and prints task IDs/errors to the console; it does not persist secrets or write to other configs. 4) If you require stronger guarantees, inspect or run the script in a controlled environment before use.

Purpose & Capability: okName/description claim gothic image generation via the Neta API; the code posts prompts to api.talesofai.com and polls for a result URL. The README and SKILL.md consistently reference a Neta API token and the same service endpoint, so required capabilities match the stated purpose.
Instruction Scope: noteSKILL.md and README instruct running the included Node script and passing a Neta token via --token. The script only sends prompts to the indicated API and polls for results; it does not read other files or environment variables. Note: passing a secret via a CLI flag exposes it to shell history and process listings—there's no guidance in the docs about safer secret handling.
Install Mechanism: okNo install spec and only a small JS script are included; nothing is downloaded or installed from external URLs. This is lower risk because the skill is instruction + local script only.
Credentials: okNo registry-required environment variables or unrelated credentials are requested. The API token is required but supplied as a CLI flag (not as an env var). This is proportionate to the described functionality, though supplying credentials on the command line has privacy/exposure implications.
Persistence & Privilege: okalways is false, no automatic persistent installation, and the script does not modify system or other skill configuration. The skill runs as a transient CLI tool and exits after printing a result URL.