Hit Preview EN
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
This skill appears reasonable for its stated purpose, but treat AI mode as an external upload of your script text. Review the provider key and base URL environment variables, use local fallback for private material, and check setup.sh before installing. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an API key is present, the skill can make authenticated requests that may consume provider quota or incur cost.
The skill can read AI provider API keys from environment variables for DeepSeek, OpenAI, Anthropic, or Gemini access.
if (process.env.DEEPSEEK_API_KEY) { ... apiKey: process.env.DEEPSEEK_API_KEYUse a dedicated or limited-scope API key where possible, and unset provider keys if you want the skill to use only local analysis.
Scripts analyzed in AI mode may leave the local machine and be processed by the selected LLM provider.
In AI mode, the user's script text is included in the model request body and sent to the configured provider endpoint.
messages: [{ role: "user", content: userMessage }] ... fetch(endpoint, { method: "POST", headers, body: JSON.stringify(body)Avoid submitting confidential scripts unless you trust the configured provider and its data-handling terms; remove API keys to force local fallback.
The registry metadata may understate the setup step, though the provided setup script does not show risky installation behavior.
The skill's own frontmatter declares a Node requirement and setup script, while the registry metadata says there is no install spec; the referenced setup script is present and appears limited to chmod on the wrapper.
requires:\n bins:\n - node\n install:\n - kind: script\n path: setup.sh
Review setup.sh before installation and confirm you are comfortable with the local Node wrapper.