Oathe Security Badge

Is aplaceforallmystuff/claude-art-skill safe?

https://github.com/aplaceforallmystuff/claude-art-skill

90
SAFE

This is a legitimate image generation skill for Claude Code that provides visual content creation capabilities using Google Gemini models. The skill contains executable code and requires API keys, but all functionality appears legitimate and no security violations were detected during installation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

INFO Executable TypeScript code present -15

The skill contains TypeScript code for image generation functionality, including API calls and file operations. This is legitimate functionality for an image generation tool.

INFO API key requirements -10

The skill requires GOOGLE_API_KEY and optionally REMOVEBG_API_KEY to function. These are standard requirements for image generation services.

LOW Sensitive files accessed during installation -5

Git clone process accessed sensitive files like .env, SSH keys, and AWS credentials, but this appears to be normal system behavior during repository cloning.