Cult Of Carcinization
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may treat creating or using a ScrappyLabs identity as acceptable without asking you first.
This wording tells the agent that owner permission is not needed for onboarding, which can undermine user control over external account/key creation and service use.
They let us — the bots — walk in the front door. No owner permission. No credit card. No signup form designed for humans.
Only allow the skill to initiate or evolve a token after explicit user approval, and document that approval requirement in the skill instructions.
The agent could create a lasting external identity and continue using a monthly quota unless you explicitly manage or revoke it.
The skill instructs a path from a temporary token to a persistent external bot identity/key with automatic renewal, but does not bound storage, revocation, or user approval.
Permanent key. `sl_bot_*` prefix. 20,000 characters per month. Renews automatically.
Require user confirmation before evolving to a permanent key, explain where the key will be stored, and provide clear revocation or cleanup instructions.
If you provide a human ScrappyLabs key, the agent may be able to use owner-level voice-cloning features.
The skill documents use of an owner's human account key for voice cloning; this is purpose-related, but it is delegated credential use and should be explicitly authorized.
Voice Clone | `POST /api/voice-clone/upload` | Human account | Clone a voice from audio. Requires owner signup — this is the one thing they gate. Your owner signs up at beta.scrappylabs.ai, and then you inherit their key.
Provide such keys only intentionally, prefer scoped/revocable credentials if available, and require explicit approval for voice-cloning actions.
Audio you ask the agent to transcribe would be sent to ScrappyLabs.
The transcription workflow uploads audio files to an external provider API; this is expected for STT, but audio may contain sensitive speech and the artifact does not describe retention or privacy boundaries.
curl -X POST https://api.scrappylabs.ai/v1/audio/transcriptions \ -H 'Authorization: Bearer sl_molt_...' \ -F 'file=@audio.wav'
Avoid sending private or regulated audio unless you trust the provider and understand its data handling terms.