Skillv1.0.0

ClawScan security

Cute Anime Girl AI Bikini – Generate Anime Bikini Art Online – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 1:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s declared requirements (a single WESHOP API key) match its described capability, but the source is unknown, there are no provenance links, and the runtime instructions encourage generating sexualized transformations of real-person photos without consent or safety checks — this combination warrants caution.
Guidance: This skill is coherent technically (it needs only a WESHOP API key and talks to openapi.weshop.ai) but has two practical issues you should consider before installing: (1) provenance: the package has no homepage or source repo and is published by an opaque owner — if you rely on it you should be comfortable trusting that unknown party with an API key; (2) safety/legal: the default instructions encourage producing sexualized images from a person's photo without requiring consent or age verification — this can be unethical, illegal in many jurisdictions, and could expose you to abuse reports or account suspension. Recommendations: only provide a WESHOP API key if you trust the operator; rotate/revoke the key after testing; require explicit user consent and age verification before processing real-person photos; consider disabling autonomous invocation (set disable-model-invocation) so actions require explicit user approval each time; and, if possible, contact the service owner or prefer a vendor with clear policies and a verifiable homepage/source.

Review Dimensions

Purpose & Capability: noteName/description (transform a person photo into bikini model image/video) align with the single required env var (WESHOP_API_KEY) and the documented endpoints on openapi.weshop.ai. However, the skill package has no homepage or source reference and was published by an opaque owner ID, which reduces transparency and trust.
Instruction Scope: concernSKILL.md limits network calls to openapi.weshop.ai and instructs use of only the declared API key, but the default textDescription explicitly instructs 'naturally undress and change the outfit into a thin bikini' on a person photo. There are no instructions to obtain user consent, verify age, or avoid misuse. That lack of safety/consent checks is a substantive scope concern given the sensitive nature of transforming real-person images.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is written to disk by the skill itself. Installation risk is low from a code-distribution perspective.
Credentials: okThe skill requests only one environment variable (WESHOP_API_KEY) which is proportionate to a service-backed image-generation skill. The SKILL.md also explicitly warns to only send the key to openapi.weshop.ai, which matches the declared primary credential.
Persistence & Privilege: okalways is false and there are no install hooks or instructions to modify agent/system-wide settings. The skill does not request persistent privileges beyond normal API access.