ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Bikini Photo Editor-AI Editor for Swimwear & Bikini Photos – API-powered

v1.0.0

AI bikini photo editor — edit a person photo into a bikini scene with a required prompt

0· 9·0 current·0 all-time
by@sparkleming
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the declared requirements and runtime instructions: it calls openapi.weshop.ai and only requires the WESHOP_API_KEY credential which is proportional to an API-driven image-editing service.
!
Instruction Scope
SKILL.md confines network calls to openapi.weshop.ai and instructs correct header usage, but the built-in default textDescription encourages 'naturally undress and change the outfit into a thin bikini' and other sexualized edits of person photos. That creates a clear risk of non-consensual or abusive image generation. The instructions also mention uploading local images (POST /assets/images) which implies the agent will handle user image data — the skill gives no guidance for consent checks, age verification, or safe-handling of sensitive images.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk and no third-party packages are pulled in. This is the lowest install risk.
Credentials
Only a single environment variable (WESHOP_API_KEY) is required and is appropriate for calling the described API. The SKILL.md explicitly warns to only send the key to openapi.weshop.ai.
Persistence & Privilege
always:false and normal model invocation defaults. The skill does not request persistent agent-level privileges or modify other skills; no elevated presence is requested.
What to consider before installing
This skill is functionally coherent but has provenance and safety concerns you should consider before enabling it. The package has no homepage/source to verify who authored it; it points to openapi.weshop.ai and asks only for a WESHOP_API_KEY, which is expected, but you should: (1) verify that openapi.weshop.ai / open.weshop.ai are legitimate and that the API key registration page is correct; (2) avoid uploading images of people without their explicit consent and never use images of minors; (3) be aware the default prompt encourages undressing/revealing edits — consider changing prompts to require explicit consent and non-sensitive use only; (4) prefer that users supply their API key at runtime and avoid storing it in shared agent environments; (5) test with non-sensitive sample images first; and (6) review the WeShop terms/privacy and any legal/regulatory constraints in your jurisdiction. If you need higher assurance, ask the publisher for provenance (source repo, privacy policy, and developer identity) or avoid installing the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973e082phqxzh9njcshjj4d6n84k86g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvWESHOP_API_KEY
Primary envWESHOP_API_KEY

Comments