Brand Identity Analyzer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The brand-analysis function is coherent, but the skill tells the agent to immediately commit and push generated profiles to GitHub, where they may feed downstream deployments.
Install only if you are comfortable sending brand analysis requests to Gemini and if you will manually approve any file writes and GitHub pushes. Remove or override the mandatory push instruction unless you specifically want generated profiles committed to the configured Ad-Ready repository and consumed by downstream pipelines.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish generated brand data to a remote main branch, changing a shared repository or workflow state.
The skill instructs high-impact Git operations after each generated profile and frames them as mandatory, rather than requiring explicit user review before committing and pushing.
**Every time a new brand profile is generated and saved, it MUST be pushed to GitHub immediately.** ... `git commit -m "Add brand profile: {Brand Name}"` ... `git push origin main`Require explicit user approval for each git add/commit/push, prefer pull requests or a staging branch, and make the GitHub publishing step optional.
Existing repository credentials could be used to publish changes without a clear account, repo, branch, or approval boundary.
Pushing to GitHub would use whatever GitHub/Git credentials and repository permissions are configured locally, but the artifacts do not clearly declare or scope this delegated authority.
cd ~/clawd/ad-ready
git add configs/Brands/{Brand_Name}.json
git commit -m "Add brand profile: {Brand Name}"
git push origin mainDeclare GitHub/repository authority explicitly, limit the target repository and branch, and ask the user before using their Git credentials.
Incorrect, unreviewed, or prompt-injected profile content could affect downstream creative workflows or deployments.
The generated file is not just local output; it is intended to propagate into a deployment-backed ad generation pipeline.
Do NOT skip this step. The ad generation pipeline on ComfyDeploy needs the profile in the repo to work correctly.
Add validation and human review before pushing profiles that downstream systems automatically consume.
Brand names and analysis prompts are sent to Gemini/Google using the user's API key.
The skill requires a Gemini API credential for its stated analysis function; this is expected, but users should notice that the registry metadata lists no primary credential.
Uses Gemini API. Set via: - `GEMINI_API_KEY` environment variable - `--api-key` flag
Use a scoped Gemini key, avoid analyzing confidential brands unless acceptable, and update metadata to declare the credential expectation.
Future runs may use changed dependency code from the package index.
The script declares a runtime dependency with only a lower-bound version, so uv may install newer package versions over time.
# dependencies = [ # "google-genai>=1.0.0", # ]
Pin the dependency version and provide a lockfile or reviewed install spec.
Bad or manipulated brand profile content could influence later creative outputs.
The generated JSON becomes persistent context reused by other workflows, which is purpose-aligned but should be treated as model-generated and web-researched content.
Stores profiles for reuse across Ad-Ready, Morpheus, and other creative workflows.
Review generated profiles before reuse, especially before committing them or using them in automated prompt pipelines.