Back to skill
Skillv2.0.0
ClawScan security
PostNitro Carousel Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 9:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (calling the PostNitro Embed API to create carousels); nothing requested or described appears out of scope or unnecessary.
- Guidance
- This skill will send whatever you ask it to the PostNitro embed API (embed-api.postnitro.ai) using the API key you provide. Only grant an API key you trust PostNitro with, avoid sending sensitive/personal data through the skill, and prefer a scoped or revocable key if PostNitro supports it. Rotate or revoke the key if you stop using the skill, and check PostNitro's privacy/security docs if you need to know how uploaded content and generated images are stored or shared.
Review Dimensions
- Purpose & Capability
- okName/description describe creating social media carousels via PostNitro; required env vars (API key, template/brand/preset IDs) and the documented API endpoints align directly with that purpose. The primary credential (POSTNITRO_API_KEY) is appropriate and used as the auth header in all examples.
- Instruction Scope
- okSKILL.md contains explicit curl examples: POST to initiate generate/import, GET to poll status and GET to retrieve output. The instructions only reference the PostNitro embed API, example public image URLs, and the declared environment variables. There are no steps that ask the agent to read unrelated files, secrets, or system state.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill — so nothing is written to disk or fetched during install. This minimizes installation risk.
- Credentials
- okRequires an API key plus three IDs used to select template/brand/preset. These are reasonable and proportionate for a hosted design-generation API. The skill does not request unrelated credentials or filesystem config paths.
- Persistence & Privilege
- okalways:false and no install actions mean the skill does not request elevated or permanent presence. It does not modify other skills or system configuration.