Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Professional AI Fashion Photo, Image & Video Generator – CLI-powered
v1.0.3Use this skill for image and video generation, editing, and transformation tasks via the weshop CLI — virtual try-on, model swap, background replace, pose ch...
⭐ 1· 100·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is an instruction-only wrapper for the weshop CLI and declares WESHOP_API_KEY as its sole credential; that aligns with an image/video generation/editing tool. The listed commands (virtualtryon, face-swap, removebg, etc.) are consistent with the described fashion/image transformations.
Instruction Scope
SKILL.md instructs the agent to check WESHOP_API_KEY and to run the weshop CLI (e.g., weshop --version, weshop <command>). It does not instruct reading unrelated system files or other environment variables. Important: using the CLI will typically upload user images to the vendor (openapi.weshop.ai) — the document asserts the API key is sent only to that endpoint but the agent/user should assume image data will be transmitted to the remote service. The skill also contains many sensitive transformation options (face swap, age/gender/bodysize transforms) which require ethical consideration and consent.
Install Mechanism
There is no automated install spec in the skill bundle (instruction-only). However SKILL.md recommends installing weshop-cli via npm (npm install -g weshop-cli@0.2.1) and points to a GitHub repo. Installing a third-party global npm package executes code on the host and is a moderate risk: you should inspect the package/source and provenance before installing.
Credentials
Only WESHOP_API_KEY is required and declared as the primary credential, which is proportionate for a CLI that talks to an external API. The SKILL.md also explicitly warns not to pass the API key on the command line and to ask the user only if the env var is missing; no other secrets or unrelated env vars are requested.
Persistence & Privilege
The skill is not always-enabled, does not request persistent platform privileges, and does not declare any actions that modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but that is not combined with elevated privileges here.
Assessment
This skill is coherent for calling the weshop CLI, but it depends on an external npm/GitHub CLI and a remote service. Before installing or using it: 1) Verify the weshop-cli package and its GitHub repository (review code, maintainer reputation, recent releases). 2) Understand that images (including faces) you provide will likely be uploaded to the vendor (openapi.weshop.ai) — do not upload images with minors or people who haven't consented. 3) Keep your WESHOP_API_KEY secret; follow the SKILL.md advice and set it only as an environment variable, never paste it into prompts. 4) Consider installing the CLI in a sandbox or VM and monitor network activity if you want stronger isolation. 5) If you need stronger assurances, ask the skill author for a signed release or an audit of the npm package. Because this bundle contains only instructions and no local code to inspect, the main risk is the external CLI/service it requires.Like a lobster shell, security has layers — review code before you run it.
latestvk97atnc643skhzzxdgzpbgds9s84g9tt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvWESHOP_API_KEY
Primary envWESHOP_API_KEY