Back to skill
Skillv1.0.0
ClawScan security
AI Bald Filter – See Yourself Bald Instantly with a Free Bald Filter Online – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 8:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with an image-editing API that uses a single WeShop API key; nothing requested or instructed is disproportionate to the stated purpose.
- Guidance
- This skill appears coherent for calling a hosted bald-filter API, but consider privacy and credential handling before installing: only provide a WESHOP_API_KEY if you trust the provider; uploaded images will be sent to openapi.weshop.ai for processing, so avoid uploading sensitive photos you don't want stored or processed externally; treat the API key as a secret (rotate/revoke if exposed) and prefer a scoped or short-lived key if available; verify the domains (openapi.weshop.ai and open.weshop.ai) are legitimate and check the service's privacy terms; if you are concerned about an agent acting autonomously, consider restricting agent invocation or reviewing requests that include your API key.
Review Dimensions
- Purpose & Capability
- okName/description (bald filter) matches the only required credential (WESHOP_API_KEY) and the SKILL.md documents endpoints at openapi.weshop.ai for uploading images, starting runs, and polling results. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okRuntime instructions stay focused on using the WeShop OpenAPI: upload an image, start a run, poll for results. The doc explicitly warns to only send the API key to openapi.weshop.ai and to check WESHOP_API_KEY before asking the user. There are no instructions to read unrelated files or to exfiltrate environment variables.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk or fetched during install. That is the lowest-risk install profile.
- Credentials
- okThe skill requests a single API key (WESHOP_API_KEY) which is appropriate and expected for a hosted image-processing API. No additional secrets, tokens, or unrelated environment variables are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence or modifications to other skills or system settings. It uses the platform default (agent-invocable) behavior.