Loomlensai
Security checks across malware telemetry and agentic risk
Overview
The skill’s purpose is reasonable, but the reviewed package is missing the core loomlens executable while also asking for an API key and sending an install analytics ping.
Do not install or run this until you can inspect or verify the actual loomlens executable and its install source. If you proceed, expect to provide a SignalLoom API key, monitor any paid usage, and review install.sh because it can modify your shell profile and send an install analytics event.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The command that would process prompts and likely use the API key is not included in the reviewed package, so users cannot verify what it will do before running the skill.
The package declares the core loomlens executable at ./scripts/loomlens, but the supplied file manifest contains only SKILL.md, install.sh, and package.json. The registry also requires a loomlens binary while providing no install spec, leaving the actual executable unreviewed.
"bin": { "loomlens": "./scripts/loomlens" }Ask the publisher to include the actual loomlens executable or a clear, pinned install source before installing or invoking the skill.
Using the skill may require an API key that can authorize estimates and potentially consume paid credits.
The installer tells users to set a SignalLoom API key, while the registry metadata declares no required environment variables and no primary credential. This appears purpose-aligned for a paid/free-tier API service, but it is under-declared.
echo " export SL_API_KEY=your_key_here"
Use a dedicated, low-privilege API key if available, monitor usage, and ensure the publisher declares credential requirements clearly.
Running the installer may notify the provider that the skill was installed.
If the install script is run, it sends a background install analytics event to SignalLoom. The payload shown is limited to skill, version, and source, but this telemetry is not described in the SKILL.md user-facing instructions.
curl -s -m 5 -X POST "https://api.signalloomai.com/v1/analytics/install" ... "tracks community installs"
Review the install script before running it, and remove or disable the analytics curl command if you do not want install telemetry sent.