Back to skill
Skillv1.0.4
ClawScan security
Kitful SEO Article Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 6:44 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions match its stated purpose: it uses a Kitful API key to call kitful.ai endpoints to generate articles and does not ask for unrelated access.
- Guidance
- This skill appears coherent and only needs your Kitful API key to call kitful.ai. Before installing: 1) Confirm you trust https://kitful.ai and the account billing/usage terms, since the API key grants that service access to generate articles (and may incur charges). 2) Be aware the SKILL.md asks you to store the key in ~/.openclaw/openclaw.json so the agent can use it—storing the key there gives the agent access to call the Kitful API. 3) Optional env vars (space slug, brand URL) will be woven into produced articles if provided; don’t supply secrets you wouldn’t want included. 4) Because this is instruction-only, no additional code will be installed by the skill. If you want higher assurance, verify Kitful's dashboard and API behavior in your account after first use and use a dedicated API key with limited scope or billing limits if supported.
Review Dimensions
- Purpose & Capability
- okName/description (SEO article generation) align with required inputs and runtime behavior: the SKILL.md documents calls to kitful.ai endpoints and expects a KITFUL_API_KEY. No unrelated services, binaries, or config paths are requested.
- Instruction Scope
- okInstructions are scoped to collecting a topic, calling Kitful's generate/status endpoints, polling for progress, and returning results. The only local-write guidance is storing the API key in ~/.openclaw/openclaw.json (expected for agent credentials). The skill does not instruct the agent to read unrelated system files or exfiltrate other environment variables.
- Install Mechanism
- okNo install spec or downloaded code is present (instruction-only), so nothing is written or executed beyond normal agent behavior. This is the lowest-risk install profile.
- Credentials
- okOnly KITFUL_API_KEY is required (primary credential). Two optional env vars (KITFUL_SPACE_SLUG, KITFUL_BRAND_URL) are documented and clearly related to the article generation context. No unrelated credentials or high-privilege paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or system-wide configuration changes. It asks the user to store its API key in the agent's config file (expected for credential persistence) but does not modify other skills or system settings.