Skillv1.0.0

ClawScan security

Generate Product Mockup Photos · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 2:25 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are generally consistent with generating product mockup images, but several mismatches in metadata and references to external projects/sites make its origin and installation unclear — verify external links and the referenced repo before installing.
Guidance: This skill appears to do what it says (generate product mockups) but has provenance inconsistencies: SKILL.md and README point to external sites/repos (skillboss.co, a 'qiaomu' GitHub repo) that don't match the registry metadata. Before installing or running it: 1) verify the external homepage/repo URLs are legitimate and match the publisher you trust; 2) inspect the referenced GitHub repo if you plan to install manually to ensure it doesn't add code or installers you don't expect; 3) confirm which image_generation provider will be used and whether any API keys or data will be sent to third parties; and 4) avoid granting any credentials or running clone/install commands until you're satisfied with the source. These provenance issues keep my confidence from being high; if you can provide the upstream repo URL or a known homepage for the publisher, I can reassess.

Review Dimensions

Purpose & Capability: noteThe name, description, and SKILL.md all describe generating product mockups and reference an image_generation API — that aligns. However, README installation instructions point to a different GitHub repo and the SKILL.md/homepage repeatedly link to skillboss.co while the package metadata lists 'source: unknown' and no homepage, which is an inconsistency.
Instruction Scope: okThe runtime instructions are high-level guidance for producing images and do not instruct the agent to read local files, access unrelated env vars, or exfiltrate data. They do mention using 'SkillBoss capabilities' without specifying what data would be sent to external services — this is vague but not explicitly malicious.
Install Mechanism: okThere is no install spec and no code files, so no code is written to disk by the skill itself. The README includes optional git clone or ClawHub install commands that reference a third-party GitHub repo (qiaomu...), which is a red flag for provenance/consistency but not an active install performed by the skill metadata.
Credentials: okThe skill declares no required environment variables, secrets, or config paths — appropriate for an instruction-only image-generation skill. The SKILL.md also does not reference any environment variables.
Persistence & Privilege: okThe skill does not request 'always' presence and uses default model invocation settings. Nothing in the package attempts to change other skills or system-wide settings.