Skillv1.0.0

ClawScan security

AI Generated Perfect Female Body – Create Ideal Body Images Online – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 8:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (transform photos into bikini images/videos) aligns with its single requested credential (WESHOP_API_KEY) and runtime instructions, but small inconsistencies and install/operational risks (unverified npm CLI, no install spec in registry, and an explicit 'naturally undress' default prompt) warrant caution before installing or using it.
Guidance: Before installing or using this skill: (1) Verify the weshop-cli npm package and its source (check the GitHub repo and npm publisher) — installing global npm packages runs third-party code. (2) Never paste your WESHOP_API_KEY into prompts or unknown endpoints; prefer an environment variable and verify network endpoints are legitimate. (3) Consider legal and ethical issues: the default prompt requests 'naturally undress' edits which can produce sexualized or non-consensual imagery; ensure you have clear consent from any person depicted and comply with laws/policies. (4) If you must try it, run the CLI in a restricted environment (sandbox or container) and inspect the package code or use a vetted binary release. (5) Note the small registry metadata mismatch (no required binaries declared vs SKILL.md requiring 'weshop') — ask the publisher for clarification or prefer a skill with verified source and install steps.

Review Dimensions

Purpose & Capability: noteThe skill's name/description and SKILL.md consistently describe calling the WeShop CLI and using WESHOP_API_KEY to generate bikini-style images/videos; requiring an API key for the service is proportionate. Minor inconsistency: registry metadata listed no required binaries while SKILL.md and its metadata declare the 'weshop' CLI (npm package) and command dependency.
Instruction Scope: noteSKILL.md only instructs the agent to call the weshop CLI and read an image file path and WESHOP_API_KEY. That stays within the stated purpose. However the default prompt explicitly requests 'naturally undress and change the outfit into a thin bikini,' which raises ethical and legal concerns (non-consensual or sexually explicit edits) even though it is not a technical incoherence. The instructions do not ask for unrelated files or unrelated environment variables.
Install Mechanism: concernThere is no formal install spec in the registry (instruction-only skill), but SKILL.md directs users to run 'npm install -g weshop-cli'. Installing a global npm package executes untrusted code from the registry; the skill does not provide a pinned, verifiable release URL. This is an operational risk (not necessarily malicious) and should be verified by the user before installation.
Credentials: okThe only required environment variable is WESHOP_API_KEY (declared as the primary credential) which is appropriate for an API-driven CLI. No other secrets, config paths, or unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request 'always: true' and does not indicate it will modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with additional privilege or persistent presence.