ClawHub

Og Image Skill

v2.0.2

Generate og image generator ai images with AI via the Neta AI image generation API (free trial at neta.art/open).

0· 162·0 current·0 all-time
by@sherrihidalgolt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, README, SKILL.md, and code all describe generating images via the Neta/TalesOfAI API (api.talesofai.com) and the code performs exactly that. Minor inconsistency: registry metadata shows no required env vars, while package.json declares a NETA_TOKEN env entry; the runtime script expects a --token flag rather than reading an env var. These are documentation/packaging mismatches, not functional red flags.
Instruction Scope
SKILL.md tells users to run the Node script with a --token flag and gives sensible CLI options. The file header in SKILL.md lists 'tools: Bash' but the provided script is a Node program — another minor doc mismatch. The instructions and script only send the prompt and optional ref UUID to the external image API and print the returned image URL; they do not read unrelated files or attempt to exfiltrate other data.
Install Mechanism
There is no install spec that downloads arbitrary code at runtime; the package is distributed as source files (ogimage.js, package.json, README). The README suggests installing via npx/clawhub which is typical. No remote arbitrary archive downloads or suspicious install URLs are present.
Credentials
The script requires a single API token to call the image service (passed via --token). This is proportionate. The only mismatch is that package.json advertises a NETA_TOKEN environment variable as 'required' (clawhub.env) while the runtime script does not read that env var — it uses the CLI flag only. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills or system settings, and does not attempt to store tokens or alter agent config. Autonomous invocation is allowed (platform default) but there are no additional elevated privileges requested.
Assessment
This skill appears to do what it claims: call the Neta/TalesOfAI image API and return an image URL. Before installing, verify the source (the README references a GitHub owner and the registry owner ID differs), and decide how you want to supply your API token: the script expects --token on the command line (avoid exposing secrets on shared shells or in logs). Be aware package.json advertises a NETA_TOKEN env var for installers (clawhub) even though the script doesn't read it — some install tooling may prompt you to set that env var. If you have sensitive data or strict network policies, confirm outbound access to api.talesofai.com and cdn.talesofai.cn is acceptable. Otherwise this skill is internally consistent and proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk971jm5356c4fnwbfb2ne7rxth83q3tt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments