ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MasterPiece Clone

v1.0.2

Decomposes editorial photography into precise descriptive prompts and clones visual styles by analyzing reference and subject images with Pixify engine.

0· 46·0 current·0 all-time
by@wangyang-youloft
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose (image style transfer via Pixify/Ngmob) matches the instructions and manifest endpoints. However, the manifest and SKILL.md both require an API key (Authorization: Bearer {{API_KEY}} / $API_KEY) while the registry metadata lists no required environment variables or primary credential — an inconsistency indicating the skill as-published omitted a needed secret.
!
Instruction Scope
Runtime instructions direct the agent to POST user-supplied image URLs to https://api.ngmob.com and poll task status. They do not instruct reading local files or other unrelated system data, but they rely on an undeclared $API_KEY and will transmit user images to an external service (privacy/exfiltration risk if images are sensitive).
Install Mechanism
There is no install spec and no code files—this is instruction-only, so nothing is written to disk or auto-downloaded. This is the lowest-risk install mechanism.
!
Credentials
Although the workflow uses an Authorization header and the manifest contains {{API_KEY}}, the skill metadata declares no required env vars or primary credential. Requiring an API key for a third-party service is reasonable, but the failure to declare it is a mismatch and could lead to silent failures or inadvertent credential usage if the agent provides credentials unexpectedly.
Persistence & Privilege
The skill does not request always-on presence (always: false) and does not ask to modify other skills or system settings. Autonomous invocation is allowed (platform default) but is not combined with other high privileges here.
What to consider before installing
This skill appears to perform the claimed image style-transfer, but it will send images to a third-party API (api.ngmob.com) and the SKILL.md/reference manifest expect an API key even though the registry metadata doesn't declare one. Before installing: verify the publisher and a real homepage/contact, confirm how you should provide the API key (and that it won't be logged or leaked), avoid submitting sensitive or private images, and ask the publisher to fix the manifest to explicitly list required credentials and a privacy/data-retention policy. If you can't verify the service or trust the author, do not install or use with sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754sgzpxehzjwxmr49q9ynd98426qx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments