Brand Voice Profile
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: brand-voice-profile Version: 1.0.0 The skill is designed for legitimate brand voice management, but the `SKILL.md` instructions present potential vulnerabilities. Specifically, the 'Multi-Brand Support' section implies constructing file paths from user input (e.g., `brand-voice/profiles/{user_input}.json`), which could lead to path traversal if the agent doesn't sanitize input. Additionally, the instruction to 'Read their last 10 posts/articles' in the 'Analyze Existing Content' section is broad and could be interpreted by an agent to access arbitrary local files or external URLs, posing a risk of arbitrary file read or SSRF if not properly sandboxed or constrained. While these are vulnerabilities rather than explicit malicious commands, they introduce significant risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your writing examples, brand preferences, and possibly client-specific style information may be saved locally and reused in later content generation.
The skill intentionally stores persistent user style preferences and has future generation tasks read that stored profile.
Create a profile at `brand-voice/profile.json` ... Use it when generating content for you
Review what is stored in the profile, avoid adding confidential client or personal information unless needed, and periodically check or edit the profile if outputs start reflecting outdated or unwanted rules.