Skillv1.0.0

ClawScan security

genstory story generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 11:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (calling Genstory's API) but the package metadata omits the required GENSTORY_API_KEY and the skill has unknown provenance, so there is an inconsistency you should resolve before trusting it.
Guidance: This skill appears to do what it says — it will send your prompts and other story fields to https://www.genstory.app and return the hosted story URL and cover image — but there are two practical concerns to resolve before installing: 1) Metadata mismatch: the SKILL.md requires GENSTORY_API_KEY, but the skill metadata does not declare any required environment variables. Ask the publisher to update the manifest to list GENSTORY_API_KEY (and to explain where the key will be stored). That omission is an incoherence you should clarify. 2) Source/trust: the skill lists no homepage and an unknown owner. Confirm you trust the publisher and that you're comfortable sending user-provided story content to Genstory. Treat the API key like a secret: only provide it if you trust genstory.app, and consider using a key scoped with minimum privileges or a separate account for third-party integrations. Additional practical checks: ensure polling uses reasonable timeouts/rate limits (SKILL.md recommends 3–5s polling and a timeout — confirm the implementation follows that), and verify privacy/retention policies of Genstory if you will send sensitive content. If the publisher cannot fix the manifest or identify themselves, prefer not to install.

Review Dimensions

Purpose & Capability: noteThe name/description and the SKILL.md are coherent: the skill describes submitting a story generation task to Genstory, polling status, and returning the hosted URL and cover image. The API endpoints and fields in references/api.md align with that purpose.
Instruction Scope: okRuntime instructions are narrowly scoped: they tell the agent to read GENSTORY_API_KEY from environment/config, POST to https://www.genstory.app/api/v1/story-tasks, poll the task URL, and return story data. There are no instructions to read other system files, traverse unrelated paths, or call unexpected third-party endpoints.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. Low risk from install mechanism.
Credentials: concernSKILL.md clearly requires GENSTORY_API_KEY (to be read from environment or skill config), but the skill metadata lists no required env vars or primary credential. This metadata/manifest mismatch is an incoherence that could cause misconfiguration or hide the fact that an API key will be transmitted to an external service. The requested credential itself is appropriate for the stated purpose, but the metadata omission and lack of provenance are concerning.
Persistence & Privilege: okSkill does not request always:true, has no install hooks, and does not request system-level persistence or modifications to other skills. Normal autonomous invocation settings are unchanged.