orbcafe-graph-detail-ai
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only UI-pattern skill; the only notable risks are that its examples handle LLM API keys and persistent prompt templates.
This skill appears safe to install as an instruction-only ORBCAFE UI helper. When using its AI-settings snippets, protect API keys, avoid exposing them in client logs or debug panels, and control who can edit saved prompt templates.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this pattern is used with a real key, poor storage or display choices in the generated app could expose that credential.
The recipe shows a generated AI settings UI that can hold an API key and provider endpoint.
value={{ baseUrl: '/llm-api', apiKey: '', model: 'doubao-lite', ... }}Store provider keys securely, redact them from logs and debug panels, restrict who can edit settings, and use least-privilege keys where possible.
Saved prompts or settings could influence future AI outputs if they are changed accidentally or by an unauthorized user.
The skill explicitly supports persistent AI settings and prompt-template selections, which can shape later model behavior.
`onSaveAll` should persist both setting values and selected template IDs in one transaction.
Add access controls, review/version prompt templates, audit changes, and provide a safe reset path for AI settings.