Back to skill
Skillv1.0.0
ClawScan security
Surreal Art Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 10:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required inputs align with its stated purpose (text→surreal image generation) and request only a single API token; nothing requested or installed is disproportionate.
- Guidance
- This package is internally consistent: it runs a local Node script that posts prompts to api.talesofai.com and returns an image URL. Before installing, confirm you trust the Neta/TalesOfAI service (the README points to api.talesofai.com / neta.art/open) because the token you provide grants that service ability to generate images on your account. Avoid sending highly sensitive personal data in prompts. If you want extra caution, create/use a limited-scope or trial token for this skill and review network traffic or firewall rules if you must enforce where requests may go. Otherwise the skill appears to do what it claims.
Review Dimensions
- Purpose & Capability
- okName/description promise (surreal AI art) matches the included Node script and SKILL.md which call an image-generation API. No unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- okSKILL.md and README instruct the agent/user to run the provided script with a Neta API token and optional flags (size, ref). Instructions do not ask the agent to read unrelated files, aggregate unrelated system data, or exfiltrate information to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only install via npx/clawhub is suggested). All code is included in the package; there are no external downloads, extract steps, or third-party package installs declared by the skill itself.
- Credentials
- okThe only secret required is the Neta API token supplied at runtime (via --token or a shell variable). No other service credentials or sensitive environment variables are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system settings, and has no elevated persistence requirements.