ClawHub
Back to skill
v1.0.0

Anygen Task Download

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 10:49 AM.

Analysis

This skill appears to do what it says—download AnyGen task files—but it needs the AnyGen CLI/API key and can write downloaded files to your computer.

GuidanceBefore installing, verify that you trust the AnyGen CLI package, provide only the API key needed for this task, and choose an output directory intentionally. Prefer previewing with `--thumbnail` or limiting downloads with `--file` when you do not need every artifact.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
This is a **write** command (writes files to disk) — confirm the output directory with the user.

The skill writes remote task artifacts to local storage. This is expected for a download helper and is disclosed, but users should confirm where files will be saved.

User impactDownloaded files may appear in the current directory or another chosen folder, and downloading without `--file` can fetch all task outputs.
RecommendationConfirm the output directory, use `--file` when only specific artifacts are needed, and inspect downloaded files before opening them.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
package: "@anygen/cli"

The skill depends on an external CLI package, while the registry-level install spec says no install spec is present. The dependency is purpose-aligned but should be verified.

User impactInstalling or relying on the wrong CLI package could affect local execution or credential handling.
RecommendationInstall the AnyGen CLI only from a trusted source and confirm the package name/version before use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
env: ["ANYGEN_API_KEY"]

The skill requires an AnyGen API key. This is proportionate for downloading account task artifacts, but it is sensitive account authority.

User impactAnyone or any agent process using this key may be able to access AnyGen task artifacts allowed by the key's permissions.
RecommendationUse a least-privilege AnyGen key if available, avoid sharing it unnecessarily, and revoke or rotate it when no longer needed.