Back to skill
Skillv1.0.0
ClawScan security
Plush Toy Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 3:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a text-to-image plushie generator that calls the Neta/TalesOfAI image API — it only requires a user-supplied API token and does not request unrelated credentials, system access, or installs.
- Guidance
- This skill sends your text prompt (and an optional reference UUID) and your provided API token to the external Neta/TalesOfAI service (api.talesofai.com). Only use a token you trust and avoid sending sensitive personal data in prompts or reference images. Ensure you run the script in a Node environment you control (Node 18+ for fetch). If you need stricter privacy, review the API's terms or use a token with limited permissions or a throwaway account.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: the JS CLI constructs a prompt and calls an external image-generation API (api.talesofai.com / Neta). No unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md tells the user to run the included Node script with a --token flag. The runtime instructions and code only submit the prompt and optional reference UUID to the image API and poll for results; they do not read local files, environment secrets, or other system state.
- Install Mechanism
- okNo install spec is present (instruction-only install), and the package is a small single-file CLI. Nothing is downloaded or written to disk by an installer. The script requires a Node runtime with fetch support (node 18+).
- Credentials
- okNo environment variables or system config paths are required. The only secret is a user-supplied Neta API token passed via --token, which is proportional to the stated purpose.
- Persistence & Privilege
- okSkill is not always-enabled and does not modify other skill or system configurations. It does not request persistent privileges or autonomous elevation.