Back to skill
Skillv1.0.0
ClawScan security
Hair Color Try On – Try Hair Colors Online Free – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 4:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose (calling WeShop's OpenAPI to change hair color); nothing requested is disproportionate, though users should be aware images and an API key will be sent to a third-party service.
- Guidance
- This skill appears to do what it claims: it calls WeShop's API to change hair color and only requests a WeShop API key. Before installing, confirm the target host (openapi.weshop.ai) is legitimate. Understand that any images you provide will be uploaded to that third-party service — do not upload sensitive or identifying photos unless you accept that. Only supply an API key you trust for this purpose; prefer a scoped or expendable key you can revoke, and rotate keys regularly. Do not paste the API key into chat or other domains; follow the SKILL.md note that the key should only be sent to openapi.weshop.ai and that the Authorization header expects the raw key (no Bearer prefix). If you expect the agent to run autonomously, be comfortable with automatic uploads of images to the external API; otherwise, require explicit confirmation before use.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirements: the skill is an API-wrapping, instruction-only integration with WeShop and only requires a single WeShop API key (WESHOP_API_KEY), which is appropriate for this purpose.
- Instruction Scope
- noteInstructions are scoped to contacting openapi.weshop.ai (upload image, start a run, poll status). They explicitly warn not to send the API key elsewhere. Important privacy note: the skill instructs the agent to upload user images to a third-party API, so sensitive images will leave the host system — this is expected for the feature but is a privacy consideration.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk or installed. This is low-risk and coherent for an API wrapper.
- Credentials
- okOnly one environment variable (WESHOP_API_KEY) is required and is the declared primary credential. That single API key is proportionate to the described functionality.
- Persistence & Privilege
- notealways is false (no forced inclusion). The skill allows normal autonomous invocation by the agent (disable-model-invocation: false), which is standard, but because the skill transmits images and an API key to an external service, users should consider whether they want the agent to run this autonomously.