Back to skill
Skillv1.0.6
ClawScan security
Turn photos, memories, and event details into polished custom invitation posters. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 2:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are coherent with creating invitation posters using the mew.design APIs; it asks only for a mew.design API key and user images, and there is no hidden install or unrelated credential access.
- Guidance
- This skill appears to do what it says: it will ask you for event details, images, and a mew.design API key and then call mew.design's image-process and design-generate endpoints. Before installing or using it, consider: (1) only provide the mew.design API key if you trust the agent and revoke or replace the key later if desired (use a limited/temporary key if possible), (2) do not share highly sensitive photos unless you are comfortable with them being processed by mew.design (and by any third-party file host if you choose to allow temporary upload), and (3) when asked to upload images to a third-party host, ask which host will be used and confirm you consent. If you want stronger privacy, provide already-hosted public URLs or request the agent run entirely locally (if that option exists).
Review Dimensions
- Purpose & Capability
- okThe name/description (create invitation posters) matches the runtime instructions: the SKILL.md describes a two-stage workflow using mew.design's image-process and design-generate APIs. The skill does not request unrelated credentials, binaries, or system access.
- Instruction Scope
- noteInstructions stay focused on collecting event details, images, and a mew.design API key and calling mew.design APIs. The only out-of-service behavior is an explicit option to temporarily upload local images to a third-party file host if the user has no public URL; the SKILL.md instructs to ask for user consent before doing so. This is within the task but is a privacy tradeoff the user should notice.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, so nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe only credential the workflow needs is a mew.design API key provided by the user during the conversation. That is proportionate and expected for calling the stated APIs; no unrelated secrets or system config paths are requested.
- Persistence & Privilege
- okalways is false and there is no indication the skill requests persistent system privileges or modifies other skills. It relies on keys supplied in-conversation rather than storing system-wide credentials.