Skillv1.0.0

ClawScan security

Free AI Tattoo Generator – Create Custom Tattoo Designs from Text or Image – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 6:12 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (calling a WeShop CLI to generate tattoo images) matches the single credential it requests, but there are a few small inconsistencies and normal supply-chain risks you should be aware of before installing/running anything.
Guidance: This skill appears to do what it claims: it calls the WeShop CLI using your WESHOP_API_KEY to generate tattoo try-on images. Before using it: (1) verify the npm package and GitHub repo (https://github.com/weshopai/weshop-cli and the npm listing) are legitimate and maintained; (2) prefer creating a scoped/limited API key if the provider supports it; (3) avoid pasting your API key into prompts or CLI arguments — set it in the environment as recommended; (4) be aware that installing a global npm package runs third-party code on your machine — consider inspecting the package or running it in an isolated environment if you have security concerns. The small metadata mismatch (registry says no required binaries while SKILL.md requires the 'weshop' CLI) is likely an editing oversight but verify the existence of the 'weshop' binary before invoking the skill. If you want higher assurance, ask the publisher for a reproducible install/verification procedure or for the CLI's pinned release hash.

Review Dimensions

Purpose & Capability: noteThe skill is an instruction-only wrapper around the weshop CLI and asks only for WESHOP_API_KEY, which is appropriate for an API-backed image generator. However, the registry metadata lists no required binaries while the SKILL.md explicitly requires the 'weshop' CLI (npm package 'weshop-cli') — that's an internal inconsistency to be aware of.
Instruction Scope: okSKILL.md limits actions to checking the WESHOP_API_KEY environment variable, asking the user to set it if missing, optionally reading a user-supplied image file, and invoking 'weshop ai-tattoo-generator'. It does not instruct reading unrelated files or exfiltrating data beyond the stated API endpoint. The claim that the API key is sent only to 'openapi.weshop.ai' is declarative and not enforced by the skill text.
Install Mechanism: noteThere is no formal install spec (skill is instruction-only). The instructions ask you to run 'npm install -g weshop-cli' if the CLI is missing. Installing a global npm package is a reasonable way to get a CLI, but it carries the usual supply-chain risk (npm packages can contain arbitrary code). The SKILL.md links to a GitHub repo and npm package which helps traceability — you should verify those sources before installation.
Credentials: okOnly one environment variable is required: WESHOP_API_KEY (declared as the primary credential). That is proportionate to the stated functionality; there are no unexpected credential requests or config path accesses.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not declare any system-level config modifications. Allowing autonomous invocation is the platform default and not a special privilege here.