Musallat Bot
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a rude chatbot persona, but it exposes an apparent Gemini API key and under-declares its credential/provider use.
Review this skill before installing. Its core behavior is just a rude Gemini-backed chatbot, but the embedded apparent API key should be treated as a credential leak and replaced with a clearly declared, user-owned GEMINI_API_KEY. Do not send sensitive prompts unless you accept Gemini processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A real exposed API key could be abused for someone else's quota/account, and users may not know which credential the skill is expected to use.
The skill documentation publishes an apparent Google/Gemini API key, while the metadata declares no primary credential or required environment variables. This makes credential ownership, scope, and safe use unclear.
- **API_KEY:** [AIzaSyBxfb-8s5TsOVvr55_E5lDbilpVLoSwIj8]
Do not rely on the embedded key. Remove or rotate the exposed key, declare GEMINI_API_KEY explicitly, and use only a user-provided key with clear scope and billing expectations.
Anything typed into this skill may be sent to Google/Gemini for processing.
When invoked, the user's prompt is sent to the external Gemini provider. This is purpose-aligned with the declared Gemini model, but users should understand that prompt contents leave the local environment.
response = model.generate_content(f"{system_instruction}\n\nSoru: {prompt}")Avoid sending secrets or sensitive private data unless you are comfortable with the provider's handling terms.
The skill may fail unless the package is already installed, or it may use whatever local package version happens to be present.
The code depends on an external Python package, but the supplied install specification says there is no install spec. This is not malicious by itself, but dependency version/source is not captured in the artifacts.
import google.generativeai as genai
Add an install spec with a pinned, trusted dependency version, or document that the user must provide the package themselves.