Test
PassAudited by ClawScan on May 1, 2026.
Overview
The skill’s stated behavior is coherent and disclosed, but users should verify the external CLI package and protect their OpenAI API key.
Before installing, verify that the materials-cli package is the intended trusted package and consider pinning its version. Use a dedicated OpenAI API key, avoid passing the key directly as a CLI flag, and do not include sensitive information in prompts sent to the AI provider.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing an unverified global npm package could run code on the user’s machine outside the reviewed artifact set.
The skill depends on an external CLI package, but the package contents, source repository, and pinned version are not included in the provided artifacts.
Run via Node (from the project or after `npm install -g materials-cli`)
Install materials-cli only from a trusted source, prefer a pinned version, and review the package provenance before use.
Use of the API key may incur charges or access the configured provider account.
The skill requires an OpenAI-compatible credential for AI generation, which is expected for the feature but still grants access to a paid/provider account.
Uses `OPENAI_API_KEY` (and optionally `OPENAI_MODEL`, `OPENAI_BASE_URL`) if not passed via flags.
Use a dedicated, limited API key where possible and prefer environment variables over passing secrets directly on the command line.
Sensitive prompt content could be sent to the configured AI provider.
The generate workflow sends user prompts to an external AI provider or configured compatible endpoint; this is disclosed and purpose-aligned.
`generate` — Use AI (OpenAI) to generate a schema from a prompt, then render it.
Avoid placing secrets or private data in generation prompts, and only use a trusted OpenAI-compatible base URL.