ReviewAudited by ClawScan on May 10, 2026.
Overview
This Pinterest skill is mostly purpose-aligned, but needs review because its optional script can automatically install an unpinned Python dependency at runtime and can use a Pinterest OAuth token to read user content.
Review before installing or running the script. The Pinterest browsing and image-sending behavior matches the skill description, but the Python helper should not auto-install dependencies without explicit approval. If you use the API method, provide only a read-only Pinterest token and keep it secure.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the optional API script could modify the user's Python environment and execute newly downloaded package code without a separate installation review.
The script downloads and installs the latest unpinned httpx package at runtime even though the skill has no install spec or declared dependency requirements.
except ImportError:
print("Installing httpx...")
import subprocess
subprocess.check_call([sys.executable, "-m", "pip", "install", "httpx", "-q"])Declare dependencies explicitly in an install spec or requirements file, pin versions, and avoid automatic runtime installation; if installation is needed, ask the user to approve it and prefer a virtual environment.
If the user provides a token, the skill can read Pinterest boards and pins available to that token.
The skill documents an optional Pinterest OAuth token with read access to the user's boards and pins. This is relevant to the stated API workflow and appears read-only, but it is still account access.
Select scopes: `boards:read`, `pins:read` ... export PINTEREST_ACCESS_TOKEN="pina_YOUR_TOKEN_HERE"
Use only the documented read-only scopes, keep the token private, revoke it when no longer needed, and avoid adding write scopes unless the skill is updated and reviewed for that purpose.
The agent may send media into the user's chat rather than only returning links.
The skill instructs the agent to send Pinterest images, and sometimes screenshots, through the messaging tool. This is central to the stated purpose but should remain user-directed.
message action=send media="https://i.pinimg.com/originals/xx/xx/image.jpg" ... message action=send filePath="/path/to/screenshot.jpg"
Use the skill only for requested Pinterest searches and verify that any screenshot or file path being sent is the intended Pinterest content.