Back to skill
Skillv1.0.0
ClawScan security
Free AI Ghost Mannequin Generator - Remove Mannequin from Clothing Photos Instantly – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 2:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a CLI wrapper for the WeShop image API and only require a WeShop API key; nothing in the SKILL.md appears to request unrelated secrets or perform unexpected actions.
- Guidance
- This skill appears coherent: it uses the WeShop CLI and a WeShop API key to generate images. Before installing or supplying an API key: (1) verify the legitimacy of the weshop-cli package and its GitHub/npm sources (running npm install -g executes third-party code), (2) only provide a WeShop API key you trust and avoid pasting it into prompts or other services, (3) consider using a limited-scope/test key if WeShop supports it, and (4) be mindful that uploaded photos might contain sensitive information (labels, tags, or metadata) that will be sent to the remote service.
Review Dimensions
- Purpose & Capability
- okName, description, and declared requirement (WESHOP_API_KEY + weshop CLI) match a cloud image-generation tool. Asking for a provider API key is expected for this purpose.
- Instruction Scope
- okSKILL.md instructs checking WESHOP_API_KEY, using the weshop CLI command with image and options, and points to weshop endpoints. It does not instruct reading other local files, system credentials, or sending data to unrelated endpoints.
- Install Mechanism
- okNo install spec is embedded; the doc suggests installing the npm package 'weshop-cli' which is a standard, expected mechanism. No arbitrary download URLs or archive extraction are present in the skill manifest.
- Credentials
- okOnly a single credential (WESHOP_API_KEY) is required and it is consistent with the documented third‑party API usage. No unrelated secrets or multiple credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request system-wide persistence or modify other skills. It relies on a normal CLI and environment variable; autonomous invocation remains platform-default but is not elevated here.