Demo Precacher
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its demo-caching purpose, but the included script sends a Turso database token to a hard-coded placeholder URL and writes cached demo data.
Before installing or running, replace the hard-coded Turso URL with your own verified database endpoint, use least-privilege demo API keys, review the hard-coded story data, and ensure cached content is cleaned up or protected after the demo.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run as-is, the user's Turso token and cached demo data could be sent to an unintended Turso host, and the script may write to a database the user did not mean to use.
The script sends the user's Turso bearer token to a fixed placeholder database URL rather than requiring a user-configured Turso endpoint.
TURSO_URL = "https://your-db.turso.io"; TURSO_TOKEN = os.environ["TURSO_AUTH_TOKEN"]; r = httpx.post(TURSO_URL, headers=HEADERS_TURSO, json=body, timeout=30)
Require an explicit TURSO_URL or TURSO_DATABASE_URL environment variable, validate it before use, document the expected database scope, and use a least-privilege demo token.
A user may incur API usage charges and modify a database when the script is run.
Running the script triggers real Mistral and ElevenLabs calls and inserts a row into Turso. This matches the caching purpose, but it has cost and mutation impact.
story = generate_story(demo["child_name"], demo["language"], demo["prompt"]); audio_b64 = generate_audio(scene, demo["voice_id"]); sfx_b64 = generate_sfx(demo["sfx_mood"], 10.0); turso_exec(sql, [story["title"], content_json, demo["voice_id"], demo["child_name"], demo["language"], audio_json])
Run only on a deliberate user request, review the hard-coded demo list first, and prefer a dry-run or test database for initial setup.
Users must choose and install dependencies themselves, which can lead to inconsistent or unreviewed package versions.
The included script imports third-party packages such as httpx, mistralai, and google.generativeai, but no pinned install mechanism is provided.
No install spec — this is an instruction-only skill.
Provide a requirements file or install instructions with pinned versions, and install dependencies from trusted package sources.
Demo prompts and generated media may remain in the database after the presentation and could include personal or customer-like details if users customize the script.
The script stores generated story content, child/demo identifiers, language, voice ID, and base64 audio cache data persistently in Turso.
sql = "INSERT INTO stories (title, content, voice_id, child_name, language, audio_cache) VALUES (?, ?, ?, ?, ?, ?)"
Use non-sensitive demo data, protect the Turso database, and define cleanup or retention rules for cached demo content.