Biver Builder
ReviewAudited by ClawScan on May 10, 2026.
Overview
Biver Builder appears to be a coherent Biver API integration, but it needs review because it uses an API key for broad write/delete account actions while the registry and scope guidance do not clearly reflect that authority.
Install only if you want an agent to manage your Biver account. Start with a bvr_test_ or read-only key, verify the exact scopes needed, avoid live/write keys until you trust the skill, confirm destructive actions like delete/deploy/workspace updates, and inspect the GitHub repository before any manual install.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it thinking no credential is needed, then be asked to provide an API key that can control parts of their Biver account.
The registry-level credential contract under-declares a required API key, while the skill itself says the key is needed for authenticated Biver operations.
metadata: "Required env vars: none" and "Primary credential: none"; SKILL.md: "Credential Required: This skill requires `BIVER_API_KEY` to operate"
Declare BIVER_API_KEY as the primary required credential in registry metadata, and users should start with test or least-privilege keys.
Users may misunderstand whether a supposedly read-only key can upload or delete gallery assets, or may grant/use the wrong scope.
The skill recommends read-only scopes for testing, but the endpoint table labels mutating gallery operations as using a read scope, creating ambiguity around what permissions are actually required.
"Start with read-only scopes (`*:read`)"; endpoint table: "Upload asset | `/v1/gallery` | POST | Yes | gallery:read" and "Delete asset | `/v1/gallery/:id` | DELETE | Yes | gallery:read"
Clarify gallery write/delete scopes and verify them against the Biver API before using live keys.
With a write-scoped key, the agent could create, deploy, update, or delete Biver pages, domains, assets, products, forms, or workspace settings when instructed.
The skill documents broad account-mutating API operations. This is purpose-aligned for a landing page builder, but users should recognize the impact before granting write scopes.
"Create page | `/v1/pages` | POST", "Delete page | `/v1/pages/:id` | DELETE", "Delete domain | `/v1/domains/:id` | DELETE", "Update workspace | `/v1/workspace/settings` | PUT"
Use explicit user confirmation for delete/deploy/workspace changes and grant only the scopes needed for the current task.
If users manually install from GitHub, they may run code that was not part of this scan.
Manual installation would pull code from an external GitHub repository not included in the provided artifact set, though the skill does warn users to inspect it.
"git clone https://github.com/RamaAditya49/biver-builder.git ~/.openclaw/skills/biver-builder" and "Inspect the repository first"
Inspect the repository and pin a trusted version before manual installation.