Sentiment Score

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly does sentiment scoring, but its server mode can expose an unauthenticated network endpoint that uses the user's OpenAI API key.

Review before installing. Use the CLI mode or bind the server to localhost unless you intentionally want network access. Configure OPENAI_API_KEY only if you are comfortable sending submitted text to OpenAI and potentially incurring API charges. Verify the Expanso Edge installation source and any remote deployment URL.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

If the server is run on a reachable machine, other network clients may be able to submit requests that consume the user's OpenAI quota and send submitted text to OpenAI.

Why it was flagged

MCP/server mode opens a POST endpoint on all network interfaces and the same pipeline invokes OpenAI using the user's API key; no authentication or localhost-only binding is shown.

Skill content

address: "0.0.0.0:${PORT:-8080}" ... path: /score ... allowed_verbs: [POST] ... api_key: "${OPENAI_API_KEY}"

Recommendation

Bind the server to 127.0.0.1 by default, add authentication or firewall guidance, and clearly document when it is safe to expose the endpoint.

Low

#ASI03: Identity and Privilege Abuse

What this means

Text sent to the skill may be sent to OpenAI, and usage may be billed to the configured OpenAI account.

Why it was flagged

The skill uses an OpenAI API key to perform the sentiment scoring. This is purpose-aligned, but provider credential use is not reflected in the registry requirements shown to the reviewer.

Skill content

openai_chat_completion: api_key: "${OPENAI_API_KEY}" model: gpt-4o-mini

Recommendation

Only configure OPENAI_API_KEY if you intend to use OpenAI for scoring, and avoid submitting sensitive text unless that is acceptable under your OpenAI data policy.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users rely on external tooling and a remote pipeline URL outside the reviewed install spec.

Why it was flagged

The documented workflow depends on external Expanso tooling and includes a user-directed cloud deploy from a URL, while no install spec is declared in the registry metadata.

Skill content

Install via: `clawhub install expanso-edge` ... `expanso-cli job deploy https://skills.expanso.io/sentiment-score/pipeline-cli.yaml`

Recommendation

Install Expanso tools only from trusted sources and verify that any deployed remote pipeline matches the reviewed files.