Skillv1.0.0

ClawScan security

Happy Woman Bikini AI Pic – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 4:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are internally consistent with its stated purpose (an API-backed image/video transform) and only require a single service API key; there are no install steps or unrelated credentials requested.
Guidance: This skill appears to be a thin wrapper for the WeShop API and only needs your WESHOP_API_KEY. Before installing or using it: 1) Verify the legitimacy of open.weshop.ai and that you trust the service provider; 2) Only provide an API key you control and ensure it has limited scope/permissions; 3) Do not use real-person photos without explicit consent and do not process images of minors—the skill's default prompt requests sexualized transformations which has significant privacy/ethical/legal implications; 4) Ask the publisher for documentation or an OpenAPI spec if you need to confirm exact request/field names (SKILL.md has minor inconsistencies between the input table and example payload); 5) Monitor network calls and API key usage after enabling the skill and revoke the key if you see unexpected activity.

Review Dimensions

Purpose & Capability: okThe skill is an instruction-only wrapper for a remote WeShop API (openapi.weshop.ai) and declares the single required credential WESHOP_API_KEY. Requiring an API key for a remote image-generation service is proportionate to the described functionality.
Instruction Scope: noteSKILL.md instructs the agent how to call specific WeShop endpoints and to check WESHOP_API_KEY before asking the user. This stays within the skill's scope, but there are small inconsistencies in field naming (the input table lists input.images / images while the example uses originalImage and vague params), and the instructions include a default prompt that effectively asks the service to 'undress' or sexualize a photographed person without any guidance to verify consent or age. The file- and env-access surface is limited to the declared API key and optional local image upload endpoint.
Install Mechanism: okNo install spec and no code files are present (instruction-only). This minimizes local persistence and disk writes, so the install risk is low.
Credentials: okOnly one environment variable (WESHOP_API_KEY) is required and declared as the primary credential. That is proportionate for a remote API skill; no unrelated credentials or config paths are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated agent-wide privileges or to modify other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.