Back to skill
Skillv1.0.0
ClawScan security
AI Pose Generator – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 6:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it claims to call the WeShop pose-change API and only requests a WeShop API key and HTTPS access to openapi.weshop.ai, which matches its documented behavior.
- Guidance
- This skill appears coherent and limited to calling WeShop's openapi.weshop.ai endpoints. Before installing or providing an API key: (1) verify you trust https://openapi.weshop.ai and the linked service (images and metadata will be sent to that external API); (2) only supply a WeShop API key — do not reuse a high-privilege or long-lived credential used for other services; prefer a scoped or disposable key if available; (3) monitor API key usage and rotate the key if you see unexpected activity; (4) the SKILL.md warns to never send the key to other domains — treat that as an operational requirement (the agent cannot technically enforce it for you); (5) if you need stronger assurance, ask for the skill's source or official homepage and consider testing with a non-sensitive image and a limited-scope API key first.
Review Dimensions
- Purpose & Capability
- okName/description, declared primaryEnv (WESHOP_API_KEY), and the SKILL.md endpoints all align: the skill documents calls to openapi.weshop.ai to perform pose changes and does not request unrelated services or binaries.
- Instruction Scope
- okSKILL.md confines runtime actions to calls against openapi.weshop.ai (including upload and agent run endpoints) and instructs the agent to check WESHOP_API_KEY before asking the user — it does not ask to read unrelated files, other env vars, or send data to other domains.
- Install Mechanism
- okNo install spec and no code files (instruction-only) — nothing is written to disk or downloaded during install according to the provided metadata.
- Credentials
- okOnly one credential is required (WESHOP_API_KEY), which is appropriate for a service that requires an API key; no other credentials or config paths are requested.
- Persistence & Privilege
- okalways is false and there are no requests to modify other skills or system-wide settings. Autonomous invocation is allowed by default (normal for skills) but not escalated by additional privileges.