Skillv1.0.0

ClawScan security

Tattoo Design Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 5, 2026, 10:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a simple CLI wrapper around the Neta/TalesOfAI image-generation API and do not request unrelated access or installs.
Guidance: This skill appears to do what it says: send your prompt and a token to the Neta/TalesOfAI endpoints and print an image URL. Before installing, consider that the script requires your API token — supplying tokens on the command line can leak via shell history or process listings, so prefer using a temporary token or an environment-variable wrapper when possible. Verify the token's scope and revoke it if you suspect exposure. Also review the bundled tattoodesigngenerator.js yourself before running it; the code is short and readable and appears to only call the listed API endpoints.

Purpose & Capability: okName/description describe an image-generation tattoo design tool and the included JS script performs exactly that by calling api.talesofai.com endpoints; required inputs (a Neta API token and prompt) are proportional to the stated purpose.
Instruction Scope: okSKILL.md only instructs running the included Node script with a token and prompt. It does not ask the agent to read other files, environment variables, or system state, nor to transmit data to unexpected endpoints outside the image API.
Install Mechanism: okThere is no install spec (instruction-only skill with bundled code). No external downloads, package installs, or extraction from unknown URLs are present.
Credentials: okThe only secret required is the Neta API token passed via --token; no other credentials, config paths, or unrelated environment variables are requested.
Persistence & Privilege: okSkill is not always-enabled, does not request persistent system-wide changes, and does not modify other skills or global agent settings.