Back to skill
Skillv1.0.0
ClawScan security
AI Fat – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 4:16 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions line up with its stated purpose: it needs a WeShop API key and the weshop CLI to call WeShop's fat‑ai endpoint and does not request unrelated credentials or system access.
- Guidance
- This skill appears internally consistent, but before installing: (1) Verify the weshop-cli npm package and GitHub repo are legitimate and review their code or releases; (2) Never paste your WESHOP_API_KEY into prompts or command arguments—set it as an environment variable as instructed; (3) Consider privacy and consent: only transform images you have permission to use and check WeShop's terms for how they store/process uploaded images; (4) If unsure, run the CLI in an isolated environment (container or VM) and monitor network traffic to confirm it communicates only with the expected openapi.weshop.ai endpoint.
Review Dimensions
- Purpose & Capability
- okName/description, declared primary credential (WESHOP_API_KEY), and SKILL.md all consistently point to using the weshop CLI to call WeShop's fat‑ai image transform. There are no unrelated env vars, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md instructs the agent to check WESHOP_API_KEY, prompt the user if missing, and run the weshop fat-ai command with an image and optional prompt. It does not instruct the agent to read other system files, harvest unrelated environment variables, or transmit data to endpoints other than the claimed openapi.weshop.ai (per the doc).
- Install Mechanism
- noteThere is no install spec in the registry (instruction-only), which is low risk. The README suggests installing weshop-cli via 'npm install -g weshop-cli' — installing third‑party npm packages is a separate risk to consider (verify package source/repo and audit code) but is coherent for this skill's purpose.
- Credentials
- okOnly a single API key (WESHOP_API_KEY) is required and it is the primaryEnv. That is proportionate for a service-backed image transform. No extra secrets or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request system-wide configuration changes, and uses normal autonomous invocation defaults. It does not request elevated persistence or modify other skills.