Back to skill
Skillv1.0.9
ClawScan security
Skywork Document · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 1:35 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill appears to do what it says — a document generator that uploads user files and sends requests to the Skywork API — but it will send full user content and uploaded files to a remote service, so avoid providing sensitive data unless you trust the provider.
- Guidance
- This skill will upload any files you pass and send the full user prompt (verbatim) to https://api-tools.skywork.ai/theme-gateway using your SKYWORK_API_KEY. That is normal for a cloud document generator, but do not supply confidential or highly sensitive data unless you trust Skywork's security and privacy practices. Verify the API key is stored securely in your OpenClaw or environment config, and consider testing with non-sensitive documents first. If you need on-prem or offline processing, this skill is not suitable.
Review Dimensions
- Purpose & Capability
- okName/description align with required artifacts: python3 and a SKYWORK_API_KEY are expected for calling a remote Skywork Doc API. The included scripts implement parsing reference files and creating documents, which matches the stated purpose.
- Instruction Scope
- noteSKILL.md and the scripts explicitly instruct uploading user-provided files and sending the full, verbatim user request to the Skywork server. They also recommend saving gathered context to disk and passing it as reference files. This is coherent with a remote document-generation service but has privacy implications (explicitly stated in SKILL.md). There are no instructions to read unrelated system files or other environment variables.
- Install Mechanism
- okNo install spec is provided (instruction-only install), and the script files are plain Python. No external downloads, installers, or unusual install behavior are present in the bundle.
- Credentials
- okOnly one credential is requested (SKYWORK_API_KEY), which is the expected primary credential for a cloud API. The SKILL.md and scripts consistently use that env var; no other secrets or unrelated env vars are requested.
- Persistence & Privilege
- okalways:false and user-invocable; the skill does not request permanent or elevated platform privileges and does not attempt to modify other skills or global agent settings. Guidance describes storing the API key in OpenClaw config, which is normal for credential configuration.