Back to skill
Skillv1.0.0
ClawScan security
Image To Sketch AI – Turn Your Photo into Stunning Sketches in Seconds – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 10:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions line up with its stated purpose (calling WeShop's image-to-sketch OpenAPI) and request only a single, relevant API key.
- Guidance
- This skill appears coherent, but note the privacy implications: using it will upload images to openapi.weshop.ai and consume the provided WESHOP_API_KEY. Only provide an API key you trust to this domain (SKILL.md explicitly warns to never send the key elsewhere). Before using, consider: (1) whether the images contain sensitive content you do not want transmitted to a third party, (2) creating or using a limited-scope/revocable API key if available, (3) monitoring API usage/billing on your WeShop account, and (4) confirming the exact header format (SKILL.md says use the raw API key value for Authorization, not a Bearer token). If any of these are unacceptable, do not install or provide your API key.
Review Dimensions
- Purpose & Capability
- okThe skill is described as an image-to-sketch wrapper for WeShop's OpenAPI and only requires WESHOP_API_KEY and HTTPS access to openapi.weshop.ai — these are appropriate and proportional for that purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to upload images and start/poll runs on openapi.weshop.ai. This is expected for an image-processing API, but it does mean user images will be transmitted to a third party — the doc explicitly warns about API key handling, which is good.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk or downloaded by the skill itself — lowest-risk installation model.
- Credentials
- okOnly a single primary credential (WESHOP_API_KEY) is required and it is directly relevant to calling the WeShop API. No unrelated secrets, config paths, or excessive env variables are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system-wide agent settings.