Pulse Editor Vibe Coding APIs
PassAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts describe a coherent Pulse Editor API integration, but users should understand that it sends prompts to a cloud service and can immediately publish or update apps.
This skill appears purpose-aligned for generating Pulse Apps. Before using it, verify the publisher and endpoint, provide the API key only through a secure mechanism, avoid putting secrets in prompts, and explicitly confirm any action that will update an existing app or publish a live app.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad prompt could result in an unwanted app update or public/live app being created.
The skill can create or update account resources and publish a live app as part of the normal workflow. This is disclosed and purpose-aligned, but it is a high-impact action that should be user-approved.
Apps are automatically built and published immediately after generation. No separate build or deploy steps needed—users get a live, working app URL as soon as generation completes.
Confirm the prompt, app name, appId, and version with the user before invoking generation, especially for updates or public deployments.
Anyone with the API key may be able to perform Pulse Editor API actions allowed by that key.
The skill requires a user API key to act on the user’s Pulse Editor account. This is expected for the integration, but the registry metadata does not declare a primary credential or required env var.
The Pulse Editor API requires an API key for authentication... Authorization: Bearer your_api_key_here
Store the key securely, prefer environment variables or a credential manager, avoid pasting it into prompts, and revoke or rotate it if exposed.
Sensitive app requirements, proprietary design details, or secrets included in prompts may be transmitted to Pulse Editor’s service.
User prompts and app-generation instructions are sent to a remote cloud coding service and processed by cloud-based agents. This is central to the skill and disclosed, but users should treat it as an external data boundary.
agents can offload code generation to Pulse Editor's cloud-based vibe coding service
Do not include passwords, private keys, production secrets, or unnecessary confidential data in generation prompts; review the provider’s data handling terms before use.
Users have less independent information for verifying who maintains the skill or whether it is officially associated with Pulse Editor.
The registry metadata does not provide source or homepage provenance for the skill. No install script is present and static scan was clean, so this is a provenance note rather than a concrete behavior concern.
Source: unknown; Homepage: none
Verify the Pulse Editor API endpoint and the skill publisher before providing an API key or using it for important apps.