Back to skill
Skillv1.0.0
ClawScan security
Free AI Girlfriend Online Generator – Create the Most Realistic AI Girlfriend – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 5:57 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (generating AI portraits) matches what it asks for (a single WESHOP_API_KEY and the weshop CLI); nothing in the instructions or manifest appears disproportionate or unrelated to that purpose.
- Guidance
- This skill is internally consistent with its purpose, but before installing or using it: 1) verify the weshop-cli npm package and its GitHub repository (check publisher, recent commits, and issues) so you trust the code that will run locally; 2) confirm the CLI actually communicates with openapi.weshop.ai (inspect source or monitor network calls) if you want assurance the API key is not sent elsewhere; 3) never paste your API key into public prompts or arguments—set WESHOP_API_KEY in your environment or use a scoped key if WeShop offers one; 4) consider installing/testing the CLI in an isolated environment (container or VM) if you have low tolerance for risk; and 5) review WeShop's content and privacy policies if you have concerns about generated imagery or data retention.
Review Dimensions
- Purpose & Capability
- okName/description request a photo-style portrait generator and the skill only requires the WeShop API key and the weshop CLI, which is coherent with that purpose.
- Instruction Scope
- okSKILL.md limits actions to using the weshop CLI and reading WESHOP_API_KEY from the environment; it does not instruct reading unrelated files or exfiltrating other credentials. The file claims the CLI sends the key to openapi.weshop.ai — this is a claim the user should verify by inspecting the CLI source if they need extra assurance.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec in registry). It recommends installing the weshop-cli from npm (npm install -g weshop-cli) and points to a GitHub repo and npm page; installing a third-party global npm package is a normal step but users should confirm the package's authenticity and review its source before installing.
- Credentials
- okOnly a single environment variable (WESHOP_API_KEY) is required and is directly relevant to calling the external image-generation API. No unrelated secrets, config paths, or multiple credentials are requested.
- Persistence & Privilege
- okThe skill is not forced-always and uses default agent invocation. It does not request persistent elevated privileges or to modify other skills or system-wide settings.