Skill Exporter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for exporting skills, but the generated web service appears to default to broad public access without built-in authentication.
Use this exporter only for skills you trust, and do not deploy the generated service unchanged to a public host. Add authentication, restrict CORS, review copied scripts and generated endpoints, and pin dependencies before production use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you deploy an exported skill as-is, outside callers may be able to trigger its API endpoints, including actions that use your deployed environment or account-backed scripts.
The generated FastAPI service permits broad cross-origin access, while the visible template does not show authentication or authorization protecting generated skill endpoints.
allow_origins=["*"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"]Before deploying, add authentication/authorization, restrict CORS to trusted origins, and require confirmation or safeguards for endpoints that perform side effects.
If the generated service is reachable by untrusted users, they could potentially consume your LLM API quota through exposed endpoints.
The optional generated LLM clients use provider API keys from environment variables, which is expected for LLM integration but gives the deployed service authority to spend or act through those accounts.
api_key = os.getenv("ANTHROPIC_API_KEY")
...
api_key = os.getenv("OPENAI_API_KEY")Use least-privilege keys where possible, keep secrets only in deployment secret storage, and protect any LLM-backed endpoints with authentication and rate limits.
Future builds of the exported service may pull newer dependency versions than the ones originally tested.
The generated Docker build installs dependencies using lower-bound version constraints rather than pinned, reviewed versions.
RUN pip install --no-cache-dir -r requirements.txt ... fastapi>=0.109.0 uvicorn[standard]>=0.27.0 python-dotenv>=1.0.0 requests>=2.31.0
Review the generated requirements, pin or lock dependency versions for production, and rebuild from trusted package sources.