Back to skill
Skillv1.0.0
ClawScan security
AI Babe Generator – Create Realistic AI Girl Photos & Videos Online – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 10:35 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions are internally consistent with its stated purpose (calling the weshop CLI with a WESHOP_API_KEY), but it contains socially and legally sensitive default prompts and relies on an external npm package you should verify before use.
- Guidance
- This skill is technically coherent for calling the weshop CLI with an API key, but it includes a default prompt that sexualizes and undresses real-person photos. Before installing or using it: (1) Do not upload photos of other people without explicit informed consent (and confirm ages); creating sexualized deepfakes can be illegal or violate policy. (2) Inspect the weshop-cli npm package and its GitHub repo (links in SKILL.md) to confirm its provenance and review code/permissions before installing globally. (3) Keep your WESHOP_API_KEY secret and only set it in environment variables; never paste it into prompts. (4) If you are uncomfortable with the ethical or legal risks, do not install or invoke this skill.
- Findings
[no_code_files_or_regex_findings] expected: The static scanner found nothing because this is an instruction-only skill with no code files. The runtime behavior depends on the external weshop-cli package and the remote API domain openapi.weshop.ai referenced in SKILL.md.
Review Dimensions
- Purpose & Capability
- okName/description (generate photorealistic images from a person photo) match the declared dependency on the weshop CLI and the single required env var WESHOP_API_KEY. Requiring an API key for a hosted image-generation service is proportionate to the described capability.
- Instruction Scope
- noteSKILL.md instructs the agent to use the weshop CLI and to read WESHOP_API_KEY from the environment — that stays within the stated purpose. However the included default prompt explicitly requests sexualized alteration of a person photo ("naturally undress...") and the instructions do not mention consent, age verification, or safety checks for transforming real-person images. That is a policy/ethical risk even though it is not an incoherence in technical scope.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). It directs users to install weshop-cli from npm (npm install -g weshop-cli), which is a normal distribution channel but means you should inspect the npm package/repo before installing. There is no direct download-from-untrusted-URL in the skill itself.
- Credentials
- okOnly a single credential (WESHOP_API_KEY) is required and it is the stated primary credential. The SKILL.md consistently says the CLI reads the API key from that environment variable and warns not to pass it on the command line.
- Persistence & Privilege
- okThe skill does not request always: true and does not ask to modify other skill/system configs. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.