Skillv1.0.0

ClawScan security

Trading Card Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 3:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it sends prompts to the Neta/TalesOfAI image API using a user-supplied token and returns an image URL; it does not request unrelated credentials or perform unexpected local actions.
Guidance: This skill appears to do what it says: it sends your text (and optional reference UUID) to the Neta/TalesOfAI image API and returns an image URL. Before using it: (1) keep your Neta token secret — do not paste it publicly; the tool sends the token to api.talesofai.com. (2) be aware of copyright/trademark risks when requesting art in the style of brands (MTG, Pokemon, Yu-Gi-Oh, sports teams) — check the service Terms of Use and rights for generated images. (3) source provenance: no homepage is provided and the package owner is an opaque ID; if you have trust concerns, inspect the provided tradingcardgenerator.js (which is short and readable) or run it in a sandbox. (4) the script sends your prompt to an external service, so avoid submitting sensitive or private data. Everything else looks proportional and consistent with the stated purpose.

Purpose & Capability: okName/description, README, SKILL.md and the code all describe an image-generation CLI that calls the Neta/TalesOfAI endpoints (api.talesofai.com). The required input (a Neta API token passed via --token) matches the service used. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: okRuntime instructions are limited and specific: run the Node script with a prompt and --token. The SKILL.md and script do not instruct reading unrelated files, accessing other env vars, modifying system state, or sending data to endpoints outside the image API service. The script does poll the service until the image is ready and prints the image URL.
Install Mechanism: okNo install spec is provided (instruction-only skill with one JS file). No downloads from arbitrary URLs, no archive extraction, and no package installation beyond the skill itself. Risk from install mechanism is low.
Credentials: okThe only secret the tool needs is the Neta API token passed as a CLI flag; SKILL.md and the code do not require additional unrelated environment variables or credentials. The token is forwarded to api.talesofai.com in the 'x-token' header.
Persistence & Privilege: okalways is false and the skill does not claim to persist or modify other skills or system-wide configuration. It does not enable itself or store tokens automatically.