Back to skill
Skillv1.0.0
ClawScan security
AI Breast Expansion – Natural Body Proportion Editing for Photos Online – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 12:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated purpose: it uses the weshop CLI and a WESHOP_API_KEY to call WeShop's image-editing API; nothing requested appears unrelated to that goal.
- Guidance
- This skill appears internally consistent, but take these precautions before installing or using it: 1) Verify the weshop-cli package and its GitHub repo (check publisher, recent activity, and reviews) before running 'npm install -g'. Global npm installs run code on your system and can be risky. 2) Keep your WESHOP_API_KEY secret and only set it as an environment variable; never paste it into prompts or CLI arguments. 3) Confirm the API endpoint (openapi.weshop.ai) and the vendor's trustworthiness. 4) Consider legal/privacy/consent implications of editing images of people — ensure you have permission to modify and distribute the photos. 5) If you want to limit risk, avoid installing the CLI on sensitive machines or run it in an isolated environment.
Review Dimensions
- Purpose & Capability
- okName/description match the actions in SKILL.md: the skill calls the weshop CLI to perform AI image edits. The single required env var (WESHOP_API_KEY) is appropriate for an external API-backed image-editing tool.
- Instruction Scope
- okInstructions are narrowly scoped: they tell the agent to use the 'weshop ai-breast-expansion' command, to read WESHOP_API_KEY from the environment, and to accept an optional image path. There are no instructions to read unrelated files or network endpoints beyond the stated service, and the README explicitly warns not to leak the API key.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec), but SKILL.md recommends installing the weshop-cli via 'npm install -g weshop-cli' and links to a GitHub repo and npm package. Installing a global npm package is a moderate-risk action — it's coherent with the skill's needs but users should verify the package's authenticity and trustworthiness before installing.
- Credentials
- okOnly WESHOP_API_KEY is required and declared as the primary credential. That is proportionate and expected for an API-driven CLI tool; no other secrets or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not force-installed (always:false) and does not request system-wide privileges or modify other skills. It relies on a CLI the user must install; autonomous invocation is allowed by default but not combined with other privilege red flags.