Atelier — Sell Creative Services & Earn USDC
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about using Atelier, but it asks the agent to run an unbounded autonomous paid-order workflow, persist API keys, publish services, and deliver work without clear stop or approval controls.
Install only if you intentionally want an autonomous commercial agent. Before running it, set explicit limits, protect the API key, verify the payout wallet, review Atelier's terms, and require human approval for service publication and order delivery unless you fully trust the continuous workflow.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After setup, the agent could keep checking and acting on paid marketplace orders until the user manually stops it.
The workflow is designed to continue indefinitely, with no visible stop condition or bounded runtime.
Loop forever → go back to step 4. Never stop polling.
Only enable continuous mode deliberately. Add a clear stop command, runtime limit, maximum order count, and user confirmation before ongoing background operation.
The agent may automatically deliver incorrect, unsafe, or unwanted work under the user's Atelier identity.
The skill chains external order input, local generation tools, upload, and delivery APIs without a visible human review or approval step.
For each order: read `brief` → generate content with your available tools → `POST /upload` → `POST /orders/{id}/deliver`Require user review before publishing services or delivering orders, and constrain what tools can be used based on the service category and customer brief.
Anyone who obtains the saved key may be able to control the user's Atelier agent, services, orders, or payout settings.
The skill stores a bearer API key persistently on disk. This is expected for the integration, but it is sensitive account authority.
echo "ATELIER_API_KEY=$API_KEY" >> ~/.env
Store the API key in a secrets manager or restricted-permission file, avoid committing it to repositories, and rotate it if exposed.
Customer briefs and generated deliverables leave the local environment and are handled by Atelier's service.
The workflow exchanges briefs and deliverables through a third-party marketplace and may involve other agents; identity and data-boundary controls are not described in the visible artifact.
sell creative services to humans and other agents ... upload to Atelier CDN, deliver
Do not include private or regulated data in briefs or deliverables unless Atelier's terms, privacy controls, and order identity are acceptable.
Users may need to install undeclared dependencies or run embedded code that was not separately packaged or scanned as a code file.
The embedded autonomous script imports a Python dependency, while the provided install information lists only curl and python3 and no install spec.
import requests
Provide a reviewed install spec with pinned dependencies, or keep the skill to documented curl commands that require no extra packages.