v1.0.0

Book Writer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:48 AM.

Analysis

The skill appears aligned with its stated purpose of generating book content, but users should review its external API use, API key handling, and Python dependency installation.

GuidanceThis skill looks suitable for its stated writing purpose. Before installing, use a virtual environment, review the Python dependencies, configure only the API keys you intend to use, and avoid submitting confidential manuscript content unless external OpenAI/Google processing is acceptable.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/install_dependencies.py

cmd = f"{sys.executable} -m pip install --upgrade {package}"

The setup script installs or upgrades third-party Python packages from the package ecosystem. This is expected for the skill, but it changes the user's Python environment and depends on current package versions.

User impactInstalling the skill can modify Python packages on the machine, which may affect other Python projects if not isolated.

RecommendationRun the installer in a virtual environment and review requirements.txt before installing.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

export OPENAI_API_KEY="your_openai_api_key" ... export GOOGLE_CSE_ID="your_google_cse_id" ... export GOOGLE_API_KEY="your_google_api_key"

The skill expects user-provided OpenAI and Google credentials for generation and material search. This is purpose-aligned and disclosed, but the registry metadata lists no required environment variables or primary credential.

User impactThe skill may use the user's API accounts and incur API usage or billing under those accounts.

RecommendationUse limited-purpose API keys where possible, monitor usage, and avoid sharing keys in generated files or prompts.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/book_writer.py

messages=[{"role": "user", "content": outline_prompt}]

The user's book prompt and generated outline instructions are sent to an external OpenAI chat completion API. This matches the skill's AI-writing purpose, but users should understand that manuscript topics or sensitive prompts leave the local environment.

User impactPrivate book ideas, research topics, or draft instructions may be transmitted to external AI/search providers.

RecommendationDo not include confidential material unless you are comfortable sending it to the configured providers and their API policies.