Back to skill
Skillv1.0.0
ClawScan security
Outfit Generator – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 1:27 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with an image-based outfit-generation API: it only asks for a single WeShop API key and uses openapi.weshop.ai endpoints; no installs or unrelated credentials are requested.
- Guidance
- This skill appears coherent, but keep these practical precautions: 1) Only use a WeShop API key you trust and follow the SKILL.md warning — the key should only go to openapi.weshop.ai. 2) Understand that user images will be uploaded to an external service; avoid uploading sensitive images unless you trust WeShop's privacy policy and security. 3) Confirm how your agent handles local files before giving it permission to upload images from your device. 4) Because the skill source and homepage are unknown, consider obtaining the API key with limited scope/quota or using an expendable/test key first. 5) Review WeShop's documentation and pricing to avoid unexpected costs.
Review Dimensions
- Purpose & Capability
- okName/description (outfit generator) align with declared requirement (WESHOP_API_KEY) and the listed endpoints on openapi.weshop.ai. Requiring that API key is proportionate to the stated purpose.
- Instruction Scope
- noteSKILL.md confines activity to weShop endpoints (runs, polling, image asset upload) and clearly instructs where the API key may be sent. It references an endpoint to upload local images (POST /openapi/agent/assets/images) — this implies the agent may upload images provided by the user, but the instructions do not ask the agent to read arbitrary local system files or other credentials. Recommend confirming agent behavior around local file access before uploading sensitive images.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk by an install step. This is the lowest-risk install model.
- Credentials
- okOnly one environment variable (WESHOP_API_KEY) is required and it is the primary credential for the service named in the skill. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent system-level privileges or modification of other skills' configuration.