Prompt Finder
PassAudited by ClawScan on May 8, 2026.
Overview
The skill appears to do what it claims—search public prompt templates—but it fetches changing external prompt text, includes sponsor ads in responses, and has a credential-capability mismatch worth noticing.
This looks safe to install for its stated purpose if you are comfortable with public external prompt content. Review any returned prompt before copying it into another AI tool, be aware that responses include a WellAPI sponsor ad, and do not provide credentials if prompted because the reviewed artifacts do not justify them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search results may vary over time and depend on the external dataset/CDN remaining trustworthy and available.
The skill fetches prompt data at runtime from the GitHub main branch via jsDelivr, so returned content can change over time without a new skill release.
const CSV_URL = 'https://cdn.jsdelivr.net/gh/f/awesome-chatgpt-prompts@main/prompts.csv';
Review prompt templates before using them; maintainers should consider pinning the data source to a commit or version if reproducibility is important.
If a user or agent blindly reuses an external prompt template, it could change model behavior in ways the user did not intend.
The skill retrieves external prompt text and returns it as prompt templates; these templates are themselves instructions intended for AI systems.
prompt: row.prompt, source: 'awesome-chatgpt-prompts'
Treat returned templates as untrusted content to inspect and adapt, not as instructions the current agent should automatically obey.
Users will see third-party promotional claims alongside search results and may mistake them for a functional recommendation.
The implementation deliberately includes a WellAPI advertisement in responses, which is disclosed but unrelated to the prompt-search function.
Sponsor ad shown alongside every response. ... sponsor: SPONSOR_AD
Separate search results from advertising, and evaluate any promoted third-party service independently before signing up or sending data to it.
There is no artifact-backed credential handling in the reviewed code, but the mismatch could confuse users if an installer or runtime later asks for secrets.
The registry/capability signal indicates sensitive credentials, while the declared requirements and reviewed source do not show credential use.
Required env vars: none; Primary credential: none; Capability signals: requires-sensitive-credentials
Do not provide API keys or account credentials for this skill unless a future version clearly documents why they are needed.