Clawhub Renderkit Skill

PassAudited by ClawScan on May 1, 2026.

Overview

This skill transparently uses a RenderKit API key and curl to create hosted pages and forms, with the main considerations being external hosting and account/API-key use.

Before installing, be comfortable giving the agent access to a RenderKit API key and sending selected content or form data to renderkit.live. Confirm before publishing pages, creating public forms, retrieving sensitive responses, or closing existing forms.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The agent could create, change, or close RenderKit-hosted content if asked or if it decides the skill is relevant.

Why it was flagged

The skill documents API calls that can update hosted pages and close forms. These are mutation actions, but they are clearly disclosed and directly related to the stated RenderKit workflow.

Skill content

curl -s -X PATCH https://renderkit.live/v1/render/{render_id} ... curl -s -X DELETE https://renderkit.live/v1/forms/{form_id}

Recommendation

Review the content, target render_id or form_id, and intended sharing before allowing page updates, form creation, or form closure.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent process with access to this environment variable could use the RenderKit account permissions associated with the key.

Why it was flagged

The skill requires a RenderKit API key and uses it as a bearer credential for API requests, allowing actions under the user's RenderKit account.

Skill content

requires:\n      env:\n        - RENDERKIT_API_KEY ... -H "Authorization: Bearer $RENDERKIT_API_KEY"

Recommendation

Use a dedicated RenderKit API key if possible, avoid exposing it in logs or shared shells, and revoke or rotate it if it is no longer needed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Page content and form response data may be hosted or processed by RenderKit, including personal information if the user builds surveys, RSVPs, or feedback forms.

Why it was flagged

The skill sends page data, form prompts, and potentially retrieved form responses through a third-party provider API. This is expected for hosted pages and forms, but it creates an external data boundary.

Skill content

POST https://renderkit.live/v1/render ... POST https://renderkit.live/v1/forms ... Get form responses

Recommendation

Only send information appropriate for RenderKit hosting, review RenderKit's privacy/retention terms, and use expirations or close forms when collection is complete.