MasterPiece Clone
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only image style-transfer skill is coherent and purpose-aligned, but users should notice that it sends image URLs to a third-party API and uses an API key.
This skill appears safe to use for its stated purpose. Before installing, verify the provider endpoint, keep the API key secure, and only submit image URLs you are comfortable having processed by the external ngmob/Pixify service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may need to provide an API key tied to their provider account, which could allow workflow usage or incur account charges if mishandled.
The workflow requires a bearer API key for the external service. This is purpose-aligned, but it is a credential the user should handle carefully, and the registry metadata did not list a primary credential.
"Authorization": "Bearer {{API_KEY}}"Use a dedicated or least-privileged API key if available, store it securely, and rotate it if it is exposed.
The external service will receive the supplied image URLs and may retrieve or process those images.
The skill sends the user-provided image URLs to an external provider endpoint for processing, which is expected for this image-generation workflow but is still a third-party data flow.
"endpoint": "https://api.ngmob.com/api/v1/workflows/Awtk0EnhqBGkoOExvseI/run"
Only provide images or URLs you are comfortable sending to the ngmob/Pixify service, and review the provider’s privacy and retention terms for sensitive photos.
Users have limited publisher/provenance context for deciding whether to trust the external API workflow.
The manifest contains placeholder author metadata, while the registry source/homepage information is sparse. There is no installable code here, so this is a provenance note rather than a behavioral concern.
"author": "your-name"
Confirm that the ngmob/Pixify endpoint and account relationship are expected before using an API key or submitting images.