Velora
PassAudited by ClawScan on May 10, 2026.
Overview
Velora appears to do what it says—log into Velora to chat with companions—but it requires your account credentials and browser automation, so use a test account and avoid putting passwords directly on the command line.
This skill is purpose-aligned and does not show malicious behavior in the provided artifacts. Before installing or running it, understand that it logs into Velora with your credentials, sends chat messages through your account, and requires Playwright/Chromium. Use a test account if possible, avoid passing passwords directly in commands, and run it in a controlled environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Velora account password is needed for the automation, and careless CLI use could expose it locally.
The skill requires Velora account credentials and demonstrates passing the password directly as a CLI argument. This is expected for logging into Velora, but command-line secrets may be visible in shell history or process lists.
node scripts/velora-chat.js "email@domain.com" "password" "Lilith" "Hey, how are you?"
Use a test Velora account where possible, avoid putting real passwords in shell history, and prefer environment variables or a local secrets manager over command-line arguments.
The skill can send chat messages and trigger companion interactions on your Velora account when run.
The script uses browser automation to start a chat and send a message through the user's Velora account. This is aligned with the skill purpose, but it is still an account action performed by automation.
await page.click('text=Neuer Chat'); ... await input.fill(message); await input.press('Enter');Run it only for messages and companions you explicitly want to test, and review the requested companion/message before executing the script.
Installing external packages adds normal dependency risk and may change your local environment.
The skill asks the user to install Playwright and Chromium from external package sources. This is normal for browser automation, but it is not represented as an install spec and is not pinned to a specific version.
npm install playwright npx playwright install chromium
Install dependencies from trusted networks, consider pinning package versions in your own project, and run the skill in an isolated test environment if possible.