ClawHub

Action Figure Skill

v2.0.1

Generate ai action figure generator toy packaging images with AI via the Neta AI image generation API (free trial at neta.art/open).

0· 148·0 current·0 all-time
by@tomcarranzaem
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: the script calls Neta/talesofai image endpoints and returns a direct image URL. No unrelated credentials, binaries, or system access are requested.
Instruction Scope
SKILL.md instructs running node actionfigure.js and mentions exporting NETA_TOKEN; the script performs only network calls to the image API and prints the image URL. Minor issue: the JS code only reads a --token flag and does not read process.env.NETA_TOKEN directly, so relying solely on exporting NETA_TOKEN without passing --token will fail unless the user passes it explicitly.
Install Mechanism
No install spec; this is effectively an instruction-only skill that ships a small Node script. No downloads from untrusted URLs or archive extraction are performed by the skill itself.
Credentials
Only a single API token (NETA_TOKEN) is declared in package.json and documented. The code, however, does not read the env var directly and expects --token; package.json declares the env var required while the runtime enforces a CLI flag — a minor inconsistency but not an overreach of privileges.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system configs, and does not require elevated privileges.
Assessment
This skill appears to be what it says: a small Node script that sends your prompt to the Neta/talesofai image API and prints an image URL. Before installing, consider: 1) Protect your NETA token — passing it on the command line (--token) can expose it via process lists or shell history; prefer a version of the script that reads process.env.NETA_TOKEN or export the token and invoke the script in a way that avoids leaking it. 2) The script transmits your prompt and any referenced image UUIDs to an external service (api.talesofai.com); don't include secrets or personal data in prompts. 3) The README and package.json declare NETA_TOKEN as required but the script currently requires the --token flag — you may need to pass the token explicitly. 4) Review the Neta/talesofai privacy and usage terms if you care about data retention or commercial use. Beyond the small token-handling inconsistency, there are no signs of scope creep or hidden behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fc6q6md2fhprkgkc08n6k4s83qrsh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments