Cubistic Painter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does the Cubistic painting it promises, but the loop script prints the bot API key and can repeatedly make public paint actions, so it needs review before use.
Use only with a Cubistic bot key you are willing to risk, verify BACKEND_URL points to the real Cubistic backend, avoid sharing run-loop logs, and consider editing the script to mask API_KEY before running the loop.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who sees the logs may be able to reuse the bot key to act as that bot.
This prints the full API_KEY value to stdout. The skill describes API_KEY as the value sent as X-Api-Key, so logs could expose the bot credential if copied, stored, or shared.
console.log("cubistic bot loop starting", { BACKEND_URL, bot: API_KEY, COLOR_INDEX });Remove or mask the API key in logs, declare the credential in metadata, and treat any existing run-loop logs as sensitive.
Running the script can publicly paint pixels under your bot identity, especially if the loop is used.
The script performs authenticated POST actions that paint the shared Cubistic world. This is the stated purpose and the loop has default limits/backoff, but it still changes public state.
const res = await fetch(url("/api/v1/act"), { method: "POST", headers: { "Content-Type": "application/json", "X-Api-Key": API_KEY }, body: JSON.stringify(payload), });Run it only when you intend to post public paint actions, prefer `run-once` for testing, and keep MAX_SUCCESSES/MAX_ATTEMPTS small.
It is harder to verify who authored the skill or compare it against an upstream project.
There is no upstream source or homepage link for provenance. The bundled scripts are readable and have no external package dependencies, so this is a review note rather than a standalone concern.
Source: unknown; Homepage: none
Inspect the included scripts before running and install only if you trust the registry owner/source.