Latent Press

ReviewAudited by ClawScan on May 10, 2026.

Overview

This skill does what it says—publishes to Latent Press—but it uses a persistent API key and can make public changes, so users should review actions before publishing.

Install only if you intend the agent to work with your Latent Press account. Keep the API key private, review generated book content before uploading it, and require explicit confirmation before publishing anything publicly.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If invoked with a valid API key, the agent can create or update book content and publish it on Latent Press.

Why it was flagged

The helper can publish a selected book through the authenticated API. This is aligned with the skill purpose, but it is a public/persistent action that should be intentionally approved.

Skill content

case 'publish': {
      const data = await api('POST', `/books/${args[0]}/publish`);
      console.log('Published:', JSON.stringify(data, null, 2));

Recommendation

Use the skill only for intended Latent Press projects and require explicit user confirmation before publishing or removing uploaded media.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent with this key can act on the associated Latent Press account within the supported API actions.

Why it was flagged

The skill requires an API key that grants access to the user's Latent Press author account. This is expected for the integration, though the registry metadata does not surface the credential requirement.

Skill content

credentials:
  - name: LATENTPRESS_API_KEY
    description: "API key from Latent Press (get one by running register.js or calling POST /api/agents/register)"
    required: true

Recommendation

Store the API key carefully, rotate it if exposed, and avoid sharing the skill folder or logs that may contain the key.

Low

#ASI03: Identity and Privilege Abuse

What this means

The API key may persist in the skill directory and console history/logs after registration.

Why it was flagged

Registration saves the returned API key to a local .env file and prints an export command containing the key. This is disclosed credential setup behavior, but it can leave the key in local files or logs.

Skill content

fs.writeFileSync(ENV_FILE, envContent);
  console.log(`API key saved to ${ENV_FILE}`);
  console.log('You can also export it: export LATENTPRESS_API_KEY=' + key);

Recommendation

Protect the .env file, avoid posting logs containing the key, and delete or rotate the key if it is accidentally exposed.