Back to skill
Skillv1.0.0
ClawScan security
Civitai Generation API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 15, 2026, 3:02 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and SKILL.md require a CivitAI API token and an npm package, but the registry metadata declares no required credentials or install steps — this mismatch and the missing dependency declaration are concerning.
- Guidance
- This skill appears to implement what it claims (generating images via CivitAI), but the package metadata omitted key runtime requirements. Before installing: 1) Verify the skill's origin — the registry metadata lacks a homepage and lists no owner contact. 2) Expect to provide CIVITAI_API_TOKEN as an env var (the script will exit without it); confirm you are comfortable granting that token to a tool that will call the CivitAI API. 3) The SKILL.md asks you to 'npm install civitai' — confirm the npm package source and version, and prefer locking to a known-good version. 4) Note the script downloads the image from whatever blob URL the API returns; consider running the script in an isolated/containerized environment to reduce risk of malicious downloads. 5) Ask the publisher to update the registry metadata to declare CIVITAI_API_TOKEN and the civitai dependency explicitly (and ideally provide a homepage/source repo). If you need higher assurance, review the full 'civitai' npm package code and the included script in a sandbox before providing your API token.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, and the included script all align: the tool generates images via the CivitAI JavaScript SDK and accepts model/sampler/LoRA parameters. The requested functionality is coherent with the code.
- Instruction Scope
- noteRuntime instructions and the script stay within the stated purpose (submitting a generation job, waiting for completion, downloading the resulting blob URL, saving an image). The SKILL.md and script require a CIVITAI_API_TOKEN and the 'civitai' npm package. The markdown example includes an external blob/storage URL — the script will download whatever URL the API returns, which is expected but means the skill will make outbound requests to arbitrary blob URLs returned by the service.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is lower-risk, but the SKILL.md instructs users to 'npm install civitai' and the script requires the 'civitai' package. The registry metadata did not declare this dependency — an omission that can cause surprises and should be corrected. No direct downloads or extract steps are present in the skill bundle.
- Credentials
- concernThe SKILL.md and the script require an environment variable CIVITAI_API_TOKEN (the script exits if it's missing). However, the registry metadata lists 'Required env vars: none' and 'Primary credential: none'. That mismatch is an important incoherence: a credential is required at runtime but not declared in the skill metadata.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It does write only the generated image to the specified output path and does not attempt to modify other skills or system-wide configs.