Vibesku
ReviewAudited by ClawScan on May 10, 2026.
Overview
The artifacts are coherent for a VibeSKU CLI, with the main user considerations being credential storage, uploading chosen product files, credit-consuming actions, and an optional remote update flow.
Use this skill if you are comfortable giving the CLI access to your VibeSKU account and uploading selected product assets. Review batch/refine/generate commands for credit cost, avoid confirmation-skipping flags unless intentional, keep credentials protected, and approve any update workflow before it runs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent running the CLI can act as the configured VibeSKU user and may consume account credits until the token/key is removed or revoked.
The skill uses local VibeSKU account credentials or API keys, which is expected for this CLI but gives the agent delegated access to the user's VibeSKU account.
CLI token (`vibesku auth login`) — browser-based device flow, tokens at `~/.vibesku/config.json`; API key — `VIBESKU_API_KEY` env var > config file key
Use a dedicated or scoped API key where possible, protect ~/.vibesku/config.json, and log out or revoke credentials when no longer needed.
Product photos, logos, and related brand assets may leave the local machine and be processed by VibeSKU.
The CLI sends user-selected local product images and logos to the VibeSKU provider API as part of its core workflow.
Generate content from a template. Handles asset upload automatically. ... `-i, --images <paths...>` | Product image files (auto-uploaded) | ... `-l, --logo <path>` | Logo file (auto-uploaded)
Only provide files you intend to upload, avoid confidential assets unless VibeSKU's terms fit your use case, and confirm the destination endpoint is trusted.
If run without careful review, refine or generation workflows could spend credits on the user's account.
The CLI includes credit-consuming actions and a documented option to skip a confirmation prompt; this is purpose-aligned but cost-impacting.
Refine an existing output with new instructions. Consumes credits. ... `-y, --yes` | Skip credit confirmation prompt
Require explicit user approval for credit-consuming operations, avoid `--yes` unless the user specifically asks for it, and check credit balance before batch or high-resolution jobs.
A skill update could change future CLI behavior or code before the user's task continues.
The skill documents a remote version check and update workflow, which is disclosed and scoped but still changes installed skill behavior based on an upstream source.
if `REMOTE_VERSION` is newer than `LOCAL_VERSION`, update before continuing user task. ... Use the agent's native skill installation/update workflow instead of hardcoded shell commands.
Ask before updating, prefer the trusted registry/native updater, and review the source or version change when practical.