Back to skill
Skillv3.0.0
ClawScan security
Website Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 10:15 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with a CLI-based website generator: it installs an AnyGen CLI and requires a single AnyGen API key, which matches its stated purpose.
- Guidance
- This skill installs an npm CLI (@anygen/cli) and requires an AnyGen API key; only install it if you trust the AnyGen service and the npm package author. Be aware that generated site content and any data you provide will be sent to www.anygen.io. Use a scoped or revocable API key if possible, review the npm package source before installing in sensitive environments, and consider running the CLI in an isolated environment if you have concerns. If you don't trust AnyGen, do not provide your API key.
Review Dimensions
- Purpose & Capability
- okThe skill is a website/landing-page generator and requires the 'anygen' CLI plus ANYGEN_API_KEY. Installing @anygen/cli to provide the anygen binary and using an API key is coherent with the described purpose; there are no unrelated binaries or credentials requested.
- Instruction Scope
- noteSKILL.md instructs the agent to run the AnyGen CLI (including auth flows that may open a browser or accept an API key) and to call an auxiliary 'anygen-workflow-generate' skill. The instructions do not ask the agent to read unrelated files or extra environment variables, but they do send content to the external AnyGen service (www.anygen.io), so users should expect site content and any provided data to be transmitted to that service.
- Install Mechanism
- noteThe install uses an npm package (@anygen/cli) to create the anygen binary. Installing an npm CLI is a common pattern; this is moderate risk (npm packages can contain arbitrary code) but there are no downloads from obscure URLs or extract steps that would raise higher concern.
- Credentials
- okOnly a single credential (ANYGEN_API_KEY) is required and is the declared primary credential. That is proportionate for a service-backed CLI that needs authorization; no other unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable. Model invocation is allowed (the platform default). The skill does not request system-wide persistent privileges or modify other skills' configurations.