ClawHub

Thumbnail Gen Skill

v2.1.0

Generate ai youtube thumbnail generator images with AI via the Neta AI image generation API (free trial at neta.art/open).

0· 218·0 current·0 all-time
by@sherrihidalgolt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state it uses the Neta AI image API and the code and README call https://api.talesofai.com endpoints with a user-supplied token. No unrelated cloud credentials, services, or system access are requested.
Instruction Scope
SKILL.md and README instruct running node thumbnailgen.js with a --token flag and optional flags; the bundled thumbnailgen.js implements exactly that and only talks to api.talesofai.com. Minor notes: the README/SKILL.md call out an npx install from SherriHidalgolt (author path) while registry metadata lists a different owner id; and passing a secret via a CLI flag can expose it in process listings—this is a user-facing risk but not an inconsistency with purpose.
Install Mechanism
No install spec or archive downloads are present; this is effectively an instruction-only skill with a single included JS file. Nothing is written automatically to disk or pulled from untrusted URLs during install.
Credentials
The skill requests no environment variables and requires a single API token supplied via --token. That is proportionate to its purpose. Caveat: token passed on the command line can be visible to other local users via process listings; the skill does not offer or document an alternative secure token input/storage method.
Persistence & Privilege
always is false, the skill does not request persistent system privileges or modify other skills or system-wide settings. It runs as a simple CLI tool and exits.
Assessment
This skill appears to do what it says: it takes a text prompt and a Neta/TalesOfAI API token and returns a generated image URL. Before installing/running: 1) Verify the package source (README suggests a GitHub path but registry owner id differs); prefer installing from a trusted repo. 2) Avoid passing long-lived secrets on the command line (they can appear in process lists); consider exporting a temporary environment variable or modifying the script to read the token from stdin or a protected file. 3) Inspect the JS file yourself (it's short and self-contained) so you are comfortable with the endpoint (api.talesofai.com) being used. 4) Use a limited-scope/test API token if possible and review the provider's terms and privacy policy. If you need help confirming the repository identity or modifying the tool to accept tokens more securely, ask for guidance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b3xpve0npzmmapwy91qx8s183pbf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments