Skillv1.0.2

ClawScan security

Tomoviee Image Recognition · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 27, 2026, 2:38 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches an image-mask generation purpose, but multiple inconsistencies (endpoint/branding mismatch, doc vs code naming mismatches, and vague instructions) mean you should review endpoints and credentials before use.
Guidance: This skill appears to implement image-mask generation, but there are several packaging and documentation inconsistencies you should check before use: 1) Verify the actual network endpoint the code calls (openapi.wondershare.cc) is the service you intend to trust—SKILL.md links to tomoviee.ai which does not match the client URL. 2) Inspect the included Python files yourself; the client exposes low-level methods (_make_request/get_result/poll_until_complete) but the README examples show higher-level functions that are not implemented. 3) Only provide real app_key/app_secret credentials if you trust the API operator; credentials will be sent as HTTP Basic auth to the external API. If unsure, test with throwaway credentials and non-sensitive images first. 4) Fix or confirm the import/file name mismatch before running to avoid running unexpected code. If you want a clean install, ask the publisher to clarify the endpoint/branding and to update the docs so code and examples match.

Review Dimensions

Purpose & Capability: noteThe declared purpose (auto-generate masks / image recognition) matches the provided client code and reference docs: the client posts images and prompts to an image-recognition endpoint and returns mask results. However there is a branding/endpoint mismatch: SKILL.md and external links reference tomoviee.ai, while the client posts to https://openapi.wondershare.cc. That may be benign (Tomoviee could be a Wondershare product) but it's an unexplained discrepancy worth verifying. Also the packaged reference docs describe many higher-level convenience methods (image_to_image, image_redrawing, image_recognition) but the actual client implements only low-level _make_request/get_result/poll_until_complete.
Instruction Scope: concernSKILL.md instructs running the included scripts and using a Python client, which is appropriate. But there are concrete inconsistencies in the runtime instructions: the Quick Start import refers to scripts/tomoviee_image_recognition_client.py (file not present) while the actual file is scripts/tomoviee_recognition_client.py. The docs show high-level methods (client.image_recognition, client.image_to_image) that are not implemented in the provided client class; instead only _make_request/get_result/poll_until_complete exist. These mismatches make the instructions unclear and give the agent broad discretion to call low-level endpoints. The instructions do not ask to read unrelated local files or environment variables.
Install Mechanism: okNo install spec; this is an instruction-and-scripts skill (no downloaded archives or third-party installers). All code is included in the bundle and nothing will be fetched during install. Risk from installation is low, though the included scripts will perform network requests at runtime.
Credentials: noteThe skill declares no required environment variables or primary credential, which is consistent with the included client expecting the caller to pass an app_key/app_secret at runtime. That is proportional for an API client. However: the skill will require you to supply your app_key/app_secret to the scripts or code; those credentials will be sent (as Basic <base64>) to the openapi.wondershare.cc endpoints. Verify you trust that endpoint before providing secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent agent-wide privileges or modify other skills. The skill does not attempt to store tokens in agent config or enable itself automatically. Normal autonomous invocation remains possible (platform default).