Back to skill
Skillv1.0.0
ClawScan security
AI Hair Color Changer – Try Hair Colors Online Free with Virtual Try-On – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 2:36 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose of calling the WeShop CLI/API to change hair color; nothing requested is disproportionate, though there are small metadata/installation inconsistencies to note.
- Guidance
- This skill looks coherent with its stated purpose, but before installing/use: 1) confirm the 'weshop-cli' npm package and its GitHub repo are legitimate and review the package code or maintainers if possible; 2) only obtain an API key from the official WeShop authorization page linked in SKILL.md and never paste the API key into chat or as a CLI argument; 3) be aware that images you upload will be sent to the remote service (privacy considerations); and 4) note the small metadata mismatch (the skill expects the 'weshop' command but the registry metadata omitted required binaries) — it’s likely harmless but you may want the publisher to correct it for clarity.
- Findings
[no_code_to_scan] expected: The package is instruction-only (SKILL.md) and contains no code files for the regex scanner to analyze. This is expected for a CLI-invocation skill.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to call the weshop CLI and requires a WESHOP_API_KEY, which is appropriate for an image-transform service. However, registry metadata earlier listed no required binaries while the SKILL.md explicitly states the 'weshop' command is required—this mismatch is likely an oversight but should be fixed for clarity.
- Instruction Scope
- okSKILL.md limits runtime actions to checking WESHOP_API_KEY, prompting the user if not set, and invoking the weshop CLI with image and prompt options. It does not instruct reading unrelated files or env vars or exfiltrating data to unexpected endpoints; the only external endpoint referenced is openapi.weshop.ai (per the doc).
- Install Mechanism
- noteThe skill is instruction-only (no install spec). It recommends installing the weshop-cli via 'npm install -g weshop-cli' and links to the npm/GitHub pages. This is a typical recommendation but installing third-party global npm packages carries the normal risk of executing unreviewed code — the skill itself does not perform any downloads.
- Credentials
- okOnly WESHOP_API_KEY is required and declared as primaryEnv, which is proportionate to a CLI that calls a cloud image-transform API. SKILL.md warns against passing the key on the command line and instructs to read it from the environment, which is appropriate.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other concerning attributes.