Skillv1.0.0

ClawScan security

Pet To Human Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 20, 2026, 9:11 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a simple CLI wrapper around the Neta/TalesOfAI image API and do not request unrelated credentials or install arbitrary third-party software.
Guidance: This skill appears to do what it says: it sends your prompt and the provided Neta/TalesOfAI API token to api.talesofai.com to produce an image URL. Before using it, review these points: - The script will transmit the token you pass via --token to api.talesofai.com; only use a token you trust and that is intended for this service. - The README suggests installing via npx; npx executes remote code and can run anything. Prefer inspecting the repository files locally (pettohumangenerator.js) before running, or copy the script into a local file you control. - Verify the token's permissions and billing implications with Neta/TalesOfAI and avoid sharing tokens in logs or public places. - If you plan to pipe the resulting URL into automated workflows, consider whether generated images or metadata might expose personal data. Overall this skill is coherent and limited in scope, but treat remote installation (npx) and API tokens with the usual caution.

Purpose & Capability: okName/description, README, SKILL.md, and the JS code all describe generating humanized pet portraits via the Neta/TalesOfAI image API. The only external access is the Neta/TalesOfAI endpoints used to submit and poll image-generation tasks, which matches the stated purpose.
Instruction Scope: okRuntime instructions are narrow: run the node script with a prompt and a --token API token. The SKILL.md does not instruct the agent to read unrelated files, environment variables, or system state, nor to send data to endpoints outside api.talesofai.com / neta.art.
Install Mechanism: okNo install spec is present; this is an instruction-only skill with a local JS file. There are no downloads from unknown URLs, no extract steps, and no package installs declared by the skill itself. (Note: README suggests using `npx skills add ...` — invoking npx will fetch remote code and should be treated as running third‑party code.)
Credentials: okThe script requires only a single API token passed via the --token flag. It does not request any unrelated credentials, config paths, or secrets, and does not read extra environment variables.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence. It does not modify other skills or system-wide settings.