Get local help for shifts and tasks (Blossomai.org)
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key leaks or is used incorrectly, someone could potentially access or change the user's Blossom account until Blossom rotates or revokes it.
This shows the skill relies on a long-lived credential with full Blossom account authority and limited revocation controls if it is exposed or misused.
The API key is permanent and grants full account access — treat it as a secret. ... The current protocol does not expose scoped keys, expiry, or self-service revocation
Use a unique Blossom passKey, keep the API key out of shared chats/logs, and ask Blossom for scoped, expiring, or self-service-revocable credentials if available.
A confirmed mistake could post, update, delete, or submit marketplace records on the user's behalf.
The skill can perform high-impact marketplace actions, but the instructions require a user confirmation gate before each mutating request.
Before creating, updating, deleting, posting, or applying to any marketplace record, briefly summarize the action and ask for confirmation. Do not send the mutating request until the user clearly confirms.
Review each confirmation summary carefully and do not approve broad or unclear marketplace changes.
Personal and job-related information provided to the agent may be sent to Blossom to perform marketplace actions.
The skill clearly discloses an external provider data flow involving personal information and includes minimization rules.
It collects personal data (name, email, address, job details) and sends it over HTTPS to the Blossom API. ... Only send the minimum data needed for the current Blossom action.
Only provide information needed for the Blossom task and review Blossom's privacy policy before using the skill.