PagePop
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: pagepop-skill Version: 0.0.4 The PagePop skill bundle is a legitimate integration for a content generation service. The core logic in `scripts/pagepop_skill.py` handles OAuth-based authentication, persists session state using secure file permissions (0600), and manages Server-Sent Events (SSE) for streaming content generation. The script includes standard features such as image downloading to a configurable directory and update notifications, but it does not perform auto-installation or unauthorized execution. No evidence of data exfiltration, prompt injection, or malicious intent was found; the code follows security best practices like masking secrets in output and using atomic file writes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the local state may be able to use the user's PagePop authorization until it is revoked or reset.
The skill stores a reusable PagePop access key locally after user authorization. This is expected for a PagePop integration, but it is credential-like state that should be protected.
After authorization, the skill stores a local access key and reuses it for later requests.
Authorize only from a trusted device and host app, protect the local state directory, and revoke or reauthorize PagePop access if the device or state file may be exposed.
A later PagePop request may reuse prior conversation context unless the user or host starts a new conversation.
The skill keeps conversation state and defaults to continuing the active conversation. This is useful for continuity, but it means prior conversation context can affect later requests.
Continue the current PagePop conversation by default. ... List locally saved conversations for switch-chat flows.
Use the new-chat option for unrelated or sensitive work, and review saved conversation choices before continuing an existing chat.
Prompts, referenced links, and generated-content context may be processed by PagePop's service.
The skill sends the user's generation request and optional links to the PagePop API. This is central to the skill's purpose, but it is still external service use.
`POST /v2/chat` ... "msg": "Generate an investor deck about our AI product", ... "links": ["https://example.com/reference"]
Do not submit confidential content or private links unless sharing them with PagePop is acceptable, and verify the configured PagePop API base URL is trusted.
A user or host may be prompted to download an updated skill package from a release URL.
The skill can report remote update metadata, including download URLs and hashes, but the artifact states it does not automatically install updates.
当前这是“更新通知”机制,不是自动安装机制。skill 只输出 `skill_update_available` 或 `skill_update_required` ... 下载、SHA-256 校验、解压安装、以及重启 skill 进程由宿主或用户完成。
Install updates only from the expected PagePop release source and verify the provided SHA-256 before replacing the skill.