Skylv Universal Bot Maker
ReviewAudited by ClawScan on May 4, 2026.
Overview
This instruction-only bot builder is coherent with its stated purpose, but users should verify the external npm tooling and carefully protect messaging-platform tokens before using it.
Before installing or using this skill, confirm that the referenced npm packages are legitimate, pin versions where possible, keep bot tokens out of chat and source control, and deploy first to a private test environment with clear stop/rollback steps.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running an unverified npm CLI or library can execute code on the user's machine or in the generated project.
The skill directs users to external npm tooling and a library that are not bundled or pinned in the artifact. This is central to the bot-builder purpose, but package provenance should be checked.
npx bot-builder create my-bot ... const { BotBuilder } = require('@skylv/bot-builder');Verify the npm package owner and source, pin versions, inspect the package before use, and run setup in a disposable project directory when possible.
If these tokens are exposed or over-scoped, someone could control the bot, send messages, or access bot-related platform data.
The generated bot configuration uses platform tokens and app secrets. These credentials are expected for bot deployment, but they can grant message-sending and account-level bot authority.
token: ${TELEGRAM_BOT_TOKEN} ... token: ${DISCORD_BOT_TOKEN} ... appSecret: ${WECHAT_APP_SECRET}Use least-privilege bot tokens, store them in a secret manager or environment variables, avoid pasting real secrets into chat, and rotate tokens after testing.
A deployed bot may keep responding to users or sending messages until it is stopped or redeployed.
The skill includes deployment paths that run the generated bot as a continuing service. This persistence is expected for a bot, but users should explicitly manage lifecycle and shutdown.
await bot.deploy(); ... docker run -d --name my-bot -p 8443:8443 ... vercel deploy
Test in a private sandbox first, review handlers before production deployment, monitor logs, and document how to disable or roll back the bot.
Incoming platform messages and user profile data may be processed by the bot and its hosting environment.
The bot architecture receives platform webhook traffic and processes user identifiers, names, avatars, and message content. This is expected for messaging bots, but the artifact does not describe validation, retention, or privacy controls.
"/telegram/webhook" ... "/discord/webhook" ... "/wechat/webhook" ... user: { id: '123456', name: '张三', avatar: 'https://...' }Validate webhook origins/signatures where each platform supports it, minimize stored user data, document retention, and avoid logging sensitive messages unnecessarily.