Backup image to StarDots
Security checks across malware telemetry and agentic risk
Overview
The skill appears to do its stated job of uploading and listing Stardots images, but it needs Stardots API credentials and will send chosen local image files to Stardots.
This looks purpose-aligned. Before installing, make sure you trust the publisher, use a limited Stardots API key if possible, and only ask it to upload image files you intentionally want stored in Stardots.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any image path you ask it to upload will be sent to Stardots cloud storage.
The skill streams the user-specified local image file to Stardots. This is the core advertised function, but it means selected files leave the local machine.
formData.append('file', createReadStream(imagePath)); ... this.client.put('/openapi/file/upload', formData, { headers })Only invoke uploads for images you intend to store with Stardots, and avoid passing paths to sensitive files.
Configured credentials can be used by the skill to authenticate upload and list operations against your Stardots account.
The skill requires Stardots API credentials and a target storage space. This is expected for API authentication, but it gives the skill delegated access to that Stardots space.
"required": ["apiKey", "apiSecret", "space"]
Use a scoped, revocable Stardots API key if available, and rotate it if you stop using the skill.
It may be harder to independently verify who published or maintains the package.
The registry metadata provides limited provenance. No suspicious install behavior is shown, but provenance matters because the skill asks for API credentials.
Source: unknown; Homepage: none
Confirm the publisher is trusted before configuring Stardots API credentials.