ClawHub

Yearbook Photo Skill

v1.6.0

Generate ai yearbook photo generator images with AI via the Neta AI image generation API (free trial at neta.art/open).

0· 109·0 current·0 all-time
by@omactiengartelle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, README, SKILL.md, package.json and the included yearbookphoto.js all align: the skill generates images via a Neta/TalesOfAI API and requires an API token. The network calls (POST to /v3/make_image and polling /v1/artifact/task) are consistent with image generation.
Instruction Scope
SKILL.md and the script only instruct usage of a token and running the Node script; there are no instructions to read unrelated files, other credentials, system config, or to transmit data to unexpected third parties beyond the image API endpoints used in the code.
Install Mechanism
No install spec is provided (instruction-only with an included Node script). There are no downloads from arbitrary URLs or extraction steps in the package; recommended install via npx/clawhub is a packaging convenience, not an opaque installer.
Credentials
The skill requires a single credential (NETA_TOKEN) which is appropriate for an API-backed image generator. However, the registry metadata at the top of the submission lists no required env vars while package.json and SKILL.md both state NETA_TOKEN is required — this metadata mismatch should be corrected/confirmed before installation.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills or system-wide settings, and is user-invocable only. Default autonomy settings are unchanged (normal for skills) but do not materially increase risk here.
Assessment
This skill appears to do what it claims: generate yearbook-style images via a Neta/TalesOfAI API. Before installing: (1) Confirm the required env var NETA_TOKEN is present and valid (the package declares it required even though the registry summary omitted it). (2) Verify you trust the API endpoint (the code calls https://api.talesofai.cn) and are comfortable sending prompt text and the token to that host. (3) Do not paste your token into public logs or public prompts; prefer environment variables. (4) Because there is no install script, you can safely inspect the yearbookphoto.js file locally — it only performs HTTP calls and prints a URL. (5) If you plan to allow autonomous agent invocation, be aware the skill will be able to call the external API whenever the agent chooses; restrict that if you don't want automated external requests. If you want higher assurance, ask the publisher to correct the registry metadata to include NETA_TOKEN and confirm the canonical API host.

Like a lobster shell, security has layers — review code before you run it.

latestvk977eqeedf6nv1zd1x9wbdsbn183qksv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments