ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Bikini Model – API-powered

v1.0.0

AI bikini model — transform a person photo into a bikini model image or video

0· 17·0 current·0 all-time
by@sparkleming
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to call WeShop's OpenAPI to transform photos; it only requests a single WESHOP_API_KEY environment variable and documents the openapi.weshop.ai endpoints — this is proportionate and coherent with the stated purpose.
Instruction Scope
SKILL.md stays within the API's endpoints and instructs using the WESHOP API. However, the default prompt instructs the model to 'naturally undress and change the outfit into a thin bikini', which encourages sexualized/non-consensual transformations. The doc mentions uploading 'local image' assets (POST /openapi/agent/assets/images) but does not clarify how local files are accessed or whether the agent will read local paths — this ambiguity can lead to unintended file access or data exfiltration if the agent implements file uploads.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal filesystem footprint and low installation risk.
Credentials
Requires only the WESHOP_API_KEY (declared as primaryEnv), which is appropriate for an API-backed skill. Note: SKILL.md instructs using the raw API key in the Authorization header; the agent or any intermediary could accidentally log or leak this key if not handled carefully.
Persistence & Privilege
always is false and there are no special persistence requests. The skill can be invoked autonomously (platform default) — not itself a coherence problem, but consider the sensitivity of allowing autonomous processing of user photos and API calls.
What to consider before installing
This skill appears to do what it says (call WeShop with a WESHOP_API_KEY), but you should consider serious privacy and ethical issues before installing: 1) The default behavior encourages creating sexualized images of people (the default prompt explicitly says to 'undress' subjects), which can be non-consensual and legally risky — avoid using images of minors or anyone who hasn't consented. 2) Confirm how the agent will handle local images and file uploads: only allow uploading files you control and be wary of any agent behavior that reads arbitrary local paths. 3) Protect your WESHOP_API_KEY: only provide it via the declared env var and ensure the agent will send it only to openapi.weshop.ai as documented; avoid pasting the key into free-text chat. 4) Review WeShop's privacy/retention policy (open.weshop.ai) to understand how images and outputs are stored. If you need stricter guarantees (consent verification, local-only processing), favor tools that run locally or that explicitly support consent checks and private processing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xj7g8jat863v376vprkd3x84j9h2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvWESHOP_API_KEY
Primary envWESHOP_API_KEY

Comments