Pulse Editor Vibe Coding APIs
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pulse-editor Version: 1.0.3 The skill bundle is benign. All files consistently describe and implement interaction with the `pulse-editor.com` API for generating and updating applications. The `SKILL.md` provides clear, non-malicious instructions for the AI agent, focusing on API usage and response handling. The example scripts (`generate_app.py`, `generate_app.tsx`) demonstrate standard API calls, secure handling of API keys (via environment variables or implied proxy), and proper parsing of Server-Sent Events, without any evidence of data exfiltration, malicious execution, persistence, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad prompt could result in an unwanted app update or public/live app being created.
The skill can create or update account resources and publish a live app as part of the normal workflow. This is disclosed and purpose-aligned, but it is a high-impact action that should be user-approved.
Apps are automatically built and published immediately after generation. No separate build or deploy steps needed—users get a live, working app URL as soon as generation completes.
Confirm the prompt, app name, appId, and version with the user before invoking generation, especially for updates or public deployments.
Anyone with the API key may be able to perform Pulse Editor API actions allowed by that key.
The skill requires a user API key to act on the user’s Pulse Editor account. This is expected for the integration, but the registry metadata does not declare a primary credential or required env var.
The Pulse Editor API requires an API key for authentication... Authorization: Bearer your_api_key_here
Store the key securely, prefer environment variables or a credential manager, avoid pasting it into prompts, and revoke or rotate it if exposed.
Sensitive app requirements, proprietary design details, or secrets included in prompts may be transmitted to Pulse Editor’s service.
User prompts and app-generation instructions are sent to a remote cloud coding service and processed by cloud-based agents. This is central to the skill and disclosed, but users should treat it as an external data boundary.
agents can offload code generation to Pulse Editor's cloud-based vibe coding service
Do not include passwords, private keys, production secrets, or unnecessary confidential data in generation prompts; review the provider’s data handling terms before use.
Users have less independent information for verifying who maintains the skill or whether it is officially associated with Pulse Editor.
The registry metadata does not provide source or homepage provenance for the skill. No install script is present and static scan was clean, so this is a provenance note rather than a concrete behavior concern.
Source: unknown; Homepage: none
Verify the Pulse Editor API endpoint and the skill publisher before providing an API key or using it for important apps.