Skillv1.0.0

ClawScan security

AI Generated Bikini Girls – Create Realistic Bikini Models Online – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:43 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions are internally consistent with its stated purpose (it uses the weshop CLI and a WESHOP_API_KEY), but there are notable safety and operational cautions you should consider before installing or using it.
Guidance: This skill is internally coherent (it simply wraps the weshop CLI and needs a WESHOP_API_KEY), but take these precautions before installing or using it: - Ethical/legal: The default prompt asks the tool to 'undress' a real person's photo. Do not run this on images of real people without their explicit consent; doing so may be illegal or violate platform policies. - Verify the CLI: Inspect the weshop-cli package and its GitHub repository (https://github.com/weshopai/weshop-cli and the npm page) before running 'npm install -g'. Global npm packages execute third-party code. - Protect your API key: Follow the SKILL.md advice — set WESHOP_API_KEY as an environment variable, never paste it into prompts or CLI arguments, and only provide it to trusted code. Consider using a limited-scope or throwaway API key for testing. - Network trust: The skill claims the CLI communicates with openapi.weshop.ai; if this matters for compliance, verify network endpoints and the package source code. - Safer testing: Try the CLI with non-sensitive or synthetic images first, and run in an isolated environment if possible. If you want further help: I can fetch and summarize the weshop-cli npm page or repository (if you provide the URL), or help rewrite the SKILL.md to remove harmful default prompts and add consent checks.

Review Dimensions

Purpose & Capability: okName/description claim (transform a person photo into a bikini model) matches the SKILL.md, which requires the weshop CLI and a single env var WESHOP_API_KEY. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteRuntime instructions confine actions to calling the weshop CLI and reading WESHOP_API_KEY. However the default example prompt explicitly instructs 'naturally undress and change the outfit' a real person's photo — this raises ethical, legal, and consent concerns (not a coherence issue, but an important risk). The SKILL.md also instructs installing weshop-cli from npm and obtaining an API key from open.weshop.ai.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but SKILL.md recommends installing weshop-cli via 'npm install -g weshop-cli' and links to GitHub/npm. Installing a global npm package runs third-party code — expected for a CLI but worth auditing the npm package/source before installing.
Credentials: okOnly WESHOP_API_KEY is required and declared as the primary credential, which is proportionate for a CLI that calls a hosted API. The SKILL.md's claim that the API key is sent only to openapi.weshop.ai cannot be independently verified here.
Persistence & Privilege: okSkill is instruction-only, always: false, and uses normal agent invocation. It does not request persistent system-wide privileges or access to other skills' configurations.