Skillv3.1.0

ClawScan security

Huo15 Img Prompt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 10:59 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package mostly does what its description claims (a local image/video prompt toolkit) but the registry metadata understates required credentials and it instructs the agent to modify other tooling configs (e.g., ~/.claude/mcp.json) and write into user vaults; these mismatches and side-effects should be reviewed before installing.
Guidance: This skill is a fairly feature-rich local toolkit for prompt generation and closed-loop image/video workflows, and the included scripts are generally coherent with that purpose. However: 1) The registry metadata says no environment variables or config paths are required, but the code and docs require multiple API keys (at least ANTHROPIC_API_KEY, and often OPENAI/REPLICATE or backend keys) and will read/write user folders (~/.huo15) and Obsidian vaults—treat that as a mismatch and a red flag. 2) The MCP helper will add an entry to ~/.claude/mcp.json to let IDEs call the tool; this modifies other applications' config and can increase exposure. Before installing or enabling autonomous invocation: - Inspect the scripts (especially mcp_server.py, auto_iterate.py, image_review.py) yourself or in a sandbox. - Run scripts in a contained environment (container or throwaway VM) first. - Back up ~/.claude/mcp.json and any Obsidian vault directories the skill might write to. - Do not store high-privilege keys in global env; use scoped/limited API keys or ephemeral tokens where possible. - If you want a minimal footprint, avoid setting ANTHROPIC_API_KEY (many features will be disabled) or run with network blocked; use doctor.py --quick to see which features require keys. If you need more assurance, ask the maintainer to update the skill metadata to declare required env vars and config path access, and to add an explicit opt-in for MCP registration.

Review Dimensions

Purpose & Capability: concernThe skill's functionality (prompt generation, Claude/Anthropic VLM review, closed-loop iteration, backend rendering, Obsidian integration, MCP server) is coherent with the description. However the registry metadata lists no required environment variables or config paths while the code and SKILL.md explicitly require/expect ANTHROPIC_API_KEY, OpenAI/Replicate/other backend keys, and read/write of ~/.huo15 and possible Obsidian vault paths. That mismatch (declaring 'none' but actually needing multiple credentials and paths) is an incoherence.
Instruction Scope: concernSKILL.md and the scripts instruct the agent/user to run many scripts that: call external APIs (Anthropic, various render backends), write persistent assets under ~/.huo15, write notes into Obsidian vaults (detecting OBSIDIAN_VAULT or common paths), and register an MCP stdio server by adding an entry to ~/.claude/mcp.json. Those actions go beyond generating prompts: they create persistent files and modify other tool config and may expose the skill to being invoked from IDEs. This is within the tool's purpose but broad in scope and not reflected in the declared requirements.
Install Mechanism: okThere is no external installer and no remote download URLs; the package is instruction+scripts included in the skill. The Python scripts appear to use only standard library modules (urllib, json, argparse, http.server) and do not fetch arbitrary executables. No high-risk install host or opaque archive is used.
Credentials: concernThe registry metadata declares no required env vars, but the code and docs clearly require ANTHROPIC_API_KEY for many features (image_review, auto_iterate, storyboard, style_learn, claude_polish), and the QUICKSTART mentions OPENAI_API_KEY, REPLICATE_API_TOKEN, and various backend-specific keys. The skill also reads/writes OBSIDIAN_VAULT detection paths and writes to ~/.claude/mcp.json and ~/.huo15. Multiple credentials and config-path access are required by the code but were not declared, which is disproportionate to the metadata and worth flagging.
Persistence & Privilege: concernThe skill writes persistent data to the user's home (~/.huo15 for brand_kits/characters/learned_presets), can write into an Obsidian vault, and its MCP server registers itself by adding an entry into ~/.claude/mcp.json. While writing its own files is expected, modifying ~/.claude/mcp.json (other tooling's config) and automatically registering to be invoked from IDEs increases privilege and blast radius — this should be reviewed and the user should be warned and back up existing configs before use.