Prompt Finder
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: prompt-finder Version: 1.0.2 The skill is a legitimate tool designed to search and retrieve AI prompt templates from the well-known 'awesome-chatgpt-prompts' repository via the jsDelivr CDN. The code in index.js and scraper.js is well-structured, implements basic caching, and lacks any indicators of malicious intent such as data exfiltration, unauthorized command execution, or obfuscation. While the skill includes promotional content for a third-party service (WellAPI) in its documentation and response metadata, this is presented as static advertising and does not attempt to manipulate the AI agent's behavior or compromise the host system.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search results may vary over time and depend on the external dataset/CDN remaining trustworthy and available.
The skill fetches prompt data at runtime from the GitHub main branch via jsDelivr, so returned content can change over time without a new skill release.
const CSV_URL = 'https://cdn.jsdelivr.net/gh/f/awesome-chatgpt-prompts@main/prompts.csv';
Review prompt templates before using them; maintainers should consider pinning the data source to a commit or version if reproducibility is important.
If a user or agent blindly reuses an external prompt template, it could change model behavior in ways the user did not intend.
The skill retrieves external prompt text and returns it as prompt templates; these templates are themselves instructions intended for AI systems.
prompt: row.prompt, source: 'awesome-chatgpt-prompts'
Treat returned templates as untrusted content to inspect and adapt, not as instructions the current agent should automatically obey.
Users will see third-party promotional claims alongside search results and may mistake them for a functional recommendation.
The implementation deliberately includes a WellAPI advertisement in responses, which is disclosed but unrelated to the prompt-search function.
Sponsor ad shown alongside every response. ... sponsor: SPONSOR_AD
Separate search results from advertising, and evaluate any promoted third-party service independently before signing up or sending data to it.
There is no artifact-backed credential handling in the reviewed code, but the mismatch could confuse users if an installer or runtime later asks for secrets.
The registry/capability signal indicates sensitive credentials, while the declared requirements and reviewed source do not show credential use.
Required env vars: none; Primary credential: none; Capability signals: requires-sensitive-credentials
Do not provide API keys or account credentials for this skill unless a future version clearly documents why they are needed.