Back to skill
Skillv1.0.1
ClawScan security
AI Age Filter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 2:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent: it calls Media.io's OpenAPI using curl and a single MEDIAIO_API_KEY credential, which matches its stated purpose of applying age filters to images.
- Guidance
- This skill appears coherent, but consider privacy and billing before using it: generated and input face images are uploaded to an external service (Media.io), so only use images you own or have permission to process. Use a dedicated, limited-scope MEDIAIO_API_KEY (rotate it if exposed), and monitor usage/credits to avoid unexpected charges. Ensure the input image is hosted at a public URL reachable by Media.io (local files are not supported). Review Media.io's privacy and terms for handling biometric/sensitive images. Although the skill instructs avoiding logging API keys, be cautious about logs and responses that might accidentally include the key or generated images.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (curl), and required env var (MEDIAIO_API_KEY) all directly match calling Media.io's OpenAPI for an image age filter. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md only describes calling Media.io endpoints (credits, create task, poll result), validates an input image URL, and warns about not logging API keys. It does not instruct reading unrelated files, other env vars, or sending data to endpoints outside Media.io.
- Install Mechanism
- okNo install spec or code files are present; this is instruction-only and relies on curl being available. That minimizes on-disk installation risk.
- Credentials
- okOnly MEDIAIO_API_KEY is required (declared as primary). That credential is appropriate and proportionate for the described API calls; no extraneous secrets are requested.
- Persistence & Privilege
- okalways is false and the skill does not request modification of other skills or system settings. It is user-invocable and may be invoked autonomously (platform default), which is appropriate for this type of integration.