Prompt Gen Skill
Security checks across malware telemetry and agentic risk
Overview
The skill can generate art prompts, but it exposes a SkillPay billing key and is written to charge per use, so it needs review before installation.
Review this skill carefully before installing. The prompt-generation logic is simple, but the exposed SkillPay key and automatic billing path are not appropriate as shipped; use only after the publisher removes the embedded key, declares the payment permissions, and provides clear user approval for charges.
VirusTotal
48/48 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the artifact may obtain or reuse the billing credential, and the skill's payment authority is not clearly scoped to the installing user.
The shipped code contains and uses a reusable billing API credential instead of relying on a scoped, declared secret.
SKILLPAY_API_KEY = "sk_93c5...f91430e" ... "X-API-Key": SKILLPAY_API_KEY
Do not install until the key is removed and rotated, and billing uses declared, scoped credentials or platform-managed payment permissions.
Using or allowing an agent to invoke the skill could trigger billing attempts and send the user_id to SkillPay.
The handler is written to call an external billing endpoint during normal prompt generation, without an artifact-backed confirmation or spend-control step.
charge_result = charge_user(user_id) ... requests.post(f"{SKILLPAY_API_URL}/charge", json=payload, headers=headers, timeout=10)Install only if you intentionally accept per-call charges, and require explicit approval or limits for any billing action.