ClawHub

travel-destination-brochure

PassAudited by ClawScan on May 10, 2026.

Overview

The skill is broadly purpose-aligned for generating travel brochures, but users should pay attention to API-key handling, third-party provider use, and manual installer commands.

This skill looks coherent for travel brochure generation. Before installing, review the installer commands, keep VLMRUN_API_KEY private, and understand that VLM Run may receive the images and prompts used to create videos or travel plans.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing dependencies could run third-party installer or package code on the user's machine.

Why it was flagged

The skill documents user-directed remote installer and unpinned package installation steps. This is aligned with the Python/VLM workflow, but it executes code obtained from external package sources.

Skill content
powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex" ... curl -LsSf https://astral.sh/uv/install.sh | sh ... uv pip install "vlmrun[cli]" ... uv pip install requests
Recommendation

Install from trusted sources, verify the uv and vlmrun packages, and consider pinning versions in a controlled environment.

Low
#ASI03: Identity and Privilege Abuse
What this means

A VLM Run API key may be revealed or stored in a less secure place if the setup instructions are followed carelessly.

Why it was flagged

The VLM Run API key is expected for this integration, but the instructions include reading a .env file and printing the key, which could expose a credential if copied into an agent transcript or logs.

Skill content
VLMRUN_API_KEY (optional, but required for video and travel plan generation) ... Read **.env** file to find api keys ... echo $VLMRUN_API_KEY
Recommendation

Provide only the VLMRUN_API_KEY needed for this service, avoid printing secrets, and prefer a scoped environment variable or secret manager.

Info
#ASI07: Insecure Inter-Agent Communication
What this means

Images and prompts used for brochure generation may be sent to VLM Run when the API key is configured.

Why it was flagged

The script passes downloaded image files and prompts to the VLM Run CLI. This is disclosed and purpose-aligned, but it means content is processed by an external provider.

Skill content
cmd = ["vlmrun", "chat", prompt]
for img in image_files:
    cmd.extend(["-i", str(img)])
Recommendation

Use this skill only with images and prompts you are comfortable sending to VLM Run, and review that provider's privacy and retention terms.