Back to skill
Skillv1.0.0
ClawScan security
Custom Bikini – Design & Try-On Personalized Swimwear Online – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 15, 2026, 1:35 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's technical requirements match its stated purpose, but the runtime instructions include sexually explicit image transformation defaults and lack any consent/age-safety checks, which is a significant policy and safety concern.
- Guidance
- This skill technically matches what it claims to do and only needs an API key, but its runtime instructions include a default prompt that generates sexualized edits of people and there are no requirements to verify consent or age. Before using or installing: 1) consider the ethical and legal risks of creating sexualized images or deepfakes (especially non-consensual or involving minors); 2) require explicit, documented consent from the photographed person and an age check before uploading images; 3) store the WESHOP_API_KEY securely and only ever send it to openapi.weshop.ai as instructed; 4) confirm the vendor's terms-of-service and privacy policies (we don't have a homepage or source link here); and 5) if you need safer behavior, ask the skill author to add mandatory consent/age checks and to remove/neutralize the explicit default prompt text before use.
Review Dimensions
- Purpose & Capability
- okName/description (transform person photos into bikini images/videos) align with the declared requirement: a single API credential (WESHOP_API_KEY) and HTTPS access to openapi.weshop.ai. There are no unrelated env vars or binaries requested.
- Instruction Scope
- concernThe SKILL.md instructs uploading local images and invoking openapi.weshop.ai endpoints (expected), but the default run parameter textDescription explicitly directs sexualized edits: 'naturally undress and change the outfit into a thin bikini while keeping body proportions natural. Keep Model dancing tiktok dance.' There are no instructions to verify explicit consent from the photo subject, to confirm the subject is an adult, or to avoid non-consensual deepfakes. That omission is a major safety/privacy concern and scope creep beyond benign image-editing.
- Install Mechanism
- okInstruction-only skill with no install steps or downloaded code; nothing is written to disk by the skill itself. This is the lowest install risk.
- Credentials
- okOnly one env var (WESHOP_API_KEY) is required and is consistent with calling the WeShop OpenAPI. The SKILL.md gives explicit guidance about using the raw key and restricting requests to openapi.weshop.ai, which is proportionate.
- Persistence & Privilege
- okSkill is not always-included and does not request elevated agent privileges or modify other skills. Autonomous invocation is allowed by default (normal), but not combined with any other broad privileges here.