Recoup Sandbox Setup
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for creating a Recoup sandbox, but its default workflow can stage every repository change and push account-derived files to main.
Run this only in a clean sandbox repository for the intended Recoup account. Before committing, inspect `git status`, stage only the generated `orgs/` paths, verify the `RECOUP.md` contents, and approve any push to `main` or use a branch/PR instead.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Unrelated local changes, deletions, or sensitive files could be committed and pushed along with the sandbox scaffold.
This default workflow stages every repository change, not only generated `orgs/` files, and pushes directly to the remote `main` branch without an explicit review or confirmation step.
git add -A && git commit -m "setup: create org and artist folders" && git push origin main
Before running the commit step, inspect `git status`, stage only the intended generated paths, and consider pushing to a branch or requiring explicit user approval before `git push`.
The agent may read organization and artist data from the authenticated Recoup account.
The skill uses Recoup account authentication to enumerate organizations and artists. This is expected for the stated purpose, but it is still account-level access the user should understand.
`RECOUP_ACCOUNT_ID` — The account ID to fetch data for. Only needed when using an Org API Key. When using a Personal API Key, omit the `--account` flag and the CLI will use the authenticated account automatically.
Use the intended Recoup account or a least-privileged API key, and review the generated files before committing or sharing them.
Artist identifiers and status become durable workspace context and may be reused by later Recoup skills or shared through the repository.
The skill intentionally creates persistent context files containing artist names, slugs, IDs, and setup status that future skills may rely on.
Every artist directory has a `RECOUP.md` at its root. This is the **identity file** ... It stays permanently.
Verify that the generated `RECOUP.md` files contain only intended metadata and protect the repository if those identifiers are sensitive.
Following the next-step command could add new instructions or capabilities from an external skill not evaluated here.
The skill suggests installing another skill through `npx`; that referenced skill is not part of the provided artifacts and should be reviewed separately before use.
If the skill is not installed, install it first: ```bash npx skills add recoupable/setup-artist ```
Review the `recoupable/setup-artist` skill and its requested permissions before installing or invoking it.