Back to skill
Skillv1.0.0
ClawScan security
Murder Drone OC Maker – Create Unique Drone OC Characters – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 1:27 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated purpose (calling the WeShop OpenAPI with a WESHOP_API_KEY to produce Murder Drones–style character images); nothing requested is disproportionate or unrelated to the described functionality.
- Guidance
- This skill appears to do what it says: call WeShop's OpenAPI to create Murder Drones–style character images and needs only your WESHOP_API_KEY. Before installing/using it: (1) Only provide the API key as an environment variable or via the skill when prompted — never paste it into unrelated chat windows or send it to domains other than https://openapi.weshop.ai. (2) Be cautious about uploading photos of other people — ensure you have consent and understand privacy/portrait-law and deepfake risks. (3) Confirm the API key you supply is legitimate and from WeShop (https://open.weshop.ai/authorization/apikey). (4) Because this is instruction-only (no install), the runtime risk is limited to outbound API calls and uploaded images; if you are uncomfortable with that data flow, do not enable the skill.
Review Dimensions
- Purpose & Capability
- okName/description match the declared dependency on a single WeShop API key and the documented endpoints at openapi.weshop.ai. Requiring WESHOP_API_KEY is expected for an API-backed image-generation tool; no unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs the agent to use only openapi.weshop.ai endpoints, to check for WESHOP_API_KEY before asking the user, and describes the API calls needed (start run, poll run, upload images). It does not instruct reading unrelated files or environment variables. Note: the skill uploads user-provided images to the API—users should be warned about privacy/consent and potential IP/portrait issues.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This minimizes on-disk execution risk; no packages, downloads, or nonstandard installers are present.
- Credentials
- okOnly a single environment variable (WESHOP_API_KEY) is required and declared as the primary credential; this is proportional to an API-based image-generation service. No other secrets or unrelated credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or to modify other skills. The default ability for the agent to invoke the skill autonomously is not by itself a concern and is appropriate for this kind of integration.