ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

genstory story generator

v1.0.0

Use when the user wants to generate a story through Genstory with an API key, submit a Genstory story task, poll task status, and return the final Genstory o...

0· 90·0 current·0 all-time
by@muryanice
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md are coherent: the skill describes submitting a story generation task to Genstory, polling status, and returning the hosted URL and cover image. The API endpoints and fields in references/api.md align with that purpose.
Instruction Scope
Runtime instructions are narrowly scoped: they tell the agent to read GENSTORY_API_KEY from environment/config, POST to https://www.genstory.app/api/v1/story-tasks, poll the task URL, and return story data. There are no instructions to read other system files, traverse unrelated paths, or call unexpected third-party endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. Low risk from install mechanism.
!
Credentials
SKILL.md clearly requires GENSTORY_API_KEY (to be read from environment or skill config), but the skill metadata lists no required env vars or primary credential. This metadata/manifest mismatch is an incoherence that could cause misconfiguration or hide the fact that an API key will be transmitted to an external service. The requested credential itself is appropriate for the stated purpose, but the metadata omission and lack of provenance are concerning.
Persistence & Privilege
Skill does not request always:true, has no install hooks, and does not request system-level persistence or modifications to other skills. Normal autonomous invocation settings are unchanged.
What to consider before installing
This skill appears to do what it says — it will send your prompts and other story fields to https://www.genstory.app and return the hosted story URL and cover image — but there are two practical concerns to resolve before installing: 1) Metadata mismatch: the SKILL.md requires GENSTORY_API_KEY, but the skill metadata does not declare any required environment variables. Ask the publisher to update the manifest to list GENSTORY_API_KEY (and to explain where the key will be stored). That omission is an incoherence you should clarify. 2) Source/trust: the skill lists no homepage and an unknown owner. Confirm you trust the publisher and that you're comfortable sending user-provided story content to Genstory. Treat the API key like a secret: only provide it if you trust genstory.app, and consider using a key scoped with minimum privileges or a separate account for third-party integrations. Additional practical checks: ensure polling uses reasonable timeouts/rate limits (SKILL.md recommends 3–5s polling and a timeout — confirm the implementation follows that), and verify privacy/retention policies of Genstory if you will send sensitive content. If the publisher cannot fix the manifest or identify themselves, prefer not to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk977h19j5ssvdzq0mtzsw7s4gx84hc96

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments