Agent Postcard
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for generating Turai postcards, but it does send a Turai API key and a short persona-derived prompt to turai.org.
This appears safe to install if you trust Turai and the skill publisher. Before use, set only a Turai API key you are comfortable using here, review persona files for secrets, and remember that the postcard prompt, location, style, and message are sent to turai.org.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the skill must trust Turai with API-authenticated requests made under that key.
The script requires a Turai API key from the environment and uses it to authenticate outbound requests to the Turai API.
const apiKey = process.env.TURAI_API_KEY; ... "x-api-key": apiKey
Use a Turai key intended for this purpose, revoke it if no longer needed, and avoid sharing the environment with untrusted scripts.
Private or sensitive text placed in persona files could be included in the prompt sent to Turai.
The script reads persona files and converts up to about 500 characters of their content into the selfie prompt sent to the external postcard API.
join(WORKSPACE, "SOUL.md"), join(WORKSPACE, "IDENTITY.md") ... const content = await readFile(p, "utf-8"); return extractSelfiePrompt(content);
Review SOUL.md, IDENTITY.md, or any --persona file before use, and keep secrets or private instructions out of those files.
Users have less registry-level context for verifying the publisher, provider relationship, and credential requirement before running the skill.
The registry metadata lacks source/homepage provenance and does not declare the API key that the provided SKILL.md and script require.
Source: unknown; Homepage: none; Required env vars: none
Verify that turai.org and this skill publisher are trusted before setting TURAI_API_KEY or running the script.