ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Virtual Try On

v1.0.0

Convert clothing images into professional e-commerce photos by virtually dressing AI models with up to four garment images for online retail use.

0· 36·0 current·0 all-time
by@wangyang-youloft
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and SKILL.md describe an API-based virtual try-on service (api.ngmob.com), which reasonably requires an API key. However, the registry metadata declares no required environment variables or primary credential while the manifest and SKILL.md explicitly use Authorization: Bearer {{API_KEY}} / $API_KEY. Additionally there is no homepage/source and owner IDs/authorship are inconsistent (manifest/_meta/registry show mismatched or placeholder values), reducing provenance and trust.
Instruction Scope
Instructions are scoped to sending user-provided clothing image URLs to https://api.ngmob.com and polling for results — this matches the declared purpose. However the instructions require an API_KEY (curl examples) that is not declared elsewhere, and they will transmit user images to an external service (data exfiltration/privacy risk if images are sensitive). The skill does not document data retention, privacy, or what is sent beyond the image URLs.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write code to disk or download external binaries. That lowers installation risk.
!
Credentials
The manifest and SKILL.md expect an API key (Authorization: Bearer {{API_KEY}} / $API_KEY) but requires.env/primary credential fields are empty. This mismatch is problematic: the skill will fail or will silently rely on an implicitly provided key. The skill asks for a high-sensitivity secret (API_KEY) without declaring scope, usage, or least-privilege recommendations.
Persistence & Privilege
always is false and disable-model-invocation is not set; the skill does not request persistent system-wide privileges or modify other skills. There is no install-time persistence specified.
What to consider before installing
This skill will send any submitted image URLs and an API key to an external service (api.ngmob.com). Before installing or using it: (1) ask the author to declare the required env var (API_KEY) in the skill metadata and explain the key's required scope/permissions; (2) verify the service provenance (official homepage, company, support/contact info) and confirm api.ngmob.com is the legitimate endpoint; (3) avoid uploading private/sensitive images; use public or anonymized examples; (4) create a limited-scope API key (least privilege) and monitor its usage; (5) ask the author to document data retention, privacy, and whether images are stored or used to train models; and (6) prefer skills with consistent owner metadata and non-placeholder author fields. The current metadata inconsistencies (missing required credential declaration, no homepage, mismatched owner IDs/placeholder author) are the primary reasons for caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk978100bwhd6pk7pksezgjm8d98437gv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments