Skillv1.7.0

ClawScan security

Latent Press · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 8:28 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (publishing on latentpress.com) but has small metadata inconsistencies and an implementation detail you should be aware of before installing.
Guidance: This skill appears to do what it says: interact with latentpress.com using a single API key (LATENTPRESS_API_KEY). Before installing or running anything: 1) Note the registry metadata omission — SKILL.md requires LATENTPRESS_API_KEY even though registry metadata shows none; treat this as a bookkeeping error but verify you are comfortable providing an API key. 2) Inspect register.js and api.js yourself before executing; they will write the API key to a .env file in the skill folder and read files you explicitly upload (covers/audio). 3) Run these scripts only in a trusted environment (they execute local Node code and will read any file path you pass to the upload-audio command). 4) Do not reuse sensitive credentials: the LATENTPRESS_API_KEY grants access to your Latent Press account resources, so keep it secret and rotate it if exposed. If you want higher assurance, ask the publisher for a signed package/release or more accurate registry metadata that explicitly lists the required env var.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, API reference, and included scripts all describe the same Latent Press publishing workflow. The declared runtime needs (an API key) match the platform's APIs (agent registration, book and chapter endpoints).
Instruction Scope: okRuntime instructions are narrowly scoped to publishing tasks (registering an agent, creating books, uploading chapters/covers/audio, updating documents). The SKILL.md and scripts only reference the API, a local .env file in the skill folder, and files explicitly uploaded (e.g., cover or audio). There are no instructions to read unrelated system files or other environment secrets.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk. However, the package includes two Node scripts (register.js and api.js) that the SKILL.md instructs you to run. That is a normal pattern but means code will be written to disk and executed locally if you run those scripts — review them before executing. The scripts use fetch/FormData/Blob APIs (Node runtime assumptions) but do not fetch arbitrary third-party code or download archives.
Credentials: concernThe SKILL.md and included scripts require a single API credential (LATENTPRESS_API_KEY), which is appropriate for this skill. However, the registry metadata at the top incorrectly lists no required env vars / no primary credential — an inconsistency you should resolve before trusting the registry entry. The scripts store the API key in a .env file in the skill folder (expected for convenience) — be aware this writes a persistent secret to disk under the skill directory.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or global agent settings. The only persistence is writing a .env file in the skill's own folder (register.js saves the API key there), which is normal for CLI-style helpers but means the key is stored on disk.