ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Babe Generator – Create Realistic AI Girl Photos & Videos Online – API-powered

v1.0.0

AI babe generator — generate photorealistic attractive images from a person photo

0· 19·0 current·0 all-time
by@sparkleming
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared primary credential (WESHOP_API_KEY) and the endpoints in SKILL.md line up with the stated purpose (calling openapi.weshop.ai to generate images). No unrelated cloud credentials or surprising binaries are requested. However the package lists no source/homepage and the metadata is minimal, which reduces provenance and increases risk.
!
Instruction Scope
SKILL.md instructs uploading images and calling the agent endpoints on openapi.weshop.ai, which is expected. But there are clear instruction inconsistencies (the Input table lists input.images while the request example uses input.originalImage; run params reference images/textDescription separately). The default textDescription is an explicit sexualized instruction to undress the subject and may encourage generating sexual content of real people — a serious ethical/privacy risk. The doc mentions uploading 'local image' (POST /openapi/agent/assets/images) but does not clearly state what file system or UI access the agent will request, so the agent may need to read local files or ask the user to upload sensitive photos.
Install Mechanism
No install spec or code is present — the skill is instruction-only, so nothing is written to disk by an installer. This is low-risk from an install perspective.
Credentials
Only a single environment variable (WESHOP_API_KEY) is required, which is proportionate for an API-driven skill. The SKILL.md warns to only send the key to openapi.weshop.ai. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent presence or system-wide modifications. Agent autonomous invocation is allowed by default but is not combined here with broad credentials or always:true.
What to consider before installing
This skill appears to call WeShop's API and honestly requires only a WESHOP_API_KEY, but exercise caution before installing: (1) The SKILL.md contains inconsistent field names (input.images vs input.originalImage) — ask the author to clarify the exact API payloads before sending keys or images. (2) The default prompt explicitly encourages sexualized edits of person photos; that raises ethical, legal, and consent issues — avoid uploading images of real people without explicit consent. (3) There is no verifiable source or homepage for the package; prefer skills with a clear publisher or official repository. (4) Keep your WESHOP_API_KEY in an environment variable (as advised) rather than pasting it into chat, and ensure requests only go to openapi.weshop.ai. (5) If you plan to use it, test with non-sensitive, synthetic images first and ask the maintainer to fix the documentation inconsistencies and to provide publisher provenance and explicit file-handling instructions. These steps would increase confidence; absence of them is why this is flagged suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cnyts6yjekkwk29bfxx59jx84jqz8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvWESHOP_API_KEY
Primary envWESHOP_API_KEY

Comments