PasteClaw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pasteclaw Version: 1.0.0 The skill bundle is designed to interact with the Pasteclaw.com API for creating, updating, and deleting text/code snippets. All network requests (via `curl` or a Python `urllib` script) are directed exclusively to `https://pasteclaw.com`. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts with harmful objectives. The instructions and code are clearly aligned with the stated purpose of a pastebin-like service for agents.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured connection could intercept or tamper with uploaded content, session keys, or edit tokens more easily than with normal verified HTTPS.
The examples repeatedly use `curl -k`, which disables HTTPS certificate verification while sending snippet content and tokens to the API.
curl -sk -X POST https://pasteclaw.com/api/snippets
Remove `-k` from the curl examples and use verified HTTPS by default. Consider using `curl -sS --fail` instead.
Anything pasted may become accessible through a stable external URL, so private notes, secrets, configs, or proprietary code could be exposed if selected by mistake.
The skill clearly sends user content to an external provider and creates a shareable preview URL.
Use this when you need to publish HTML/CSS/JS or raw text ... to Pasteclaw.com and return a preview URL.
Use the skill only for content intended to be shared externally, and confirm before uploading sensitive documents, credentials, private configs, or customer data.
Anyone who gets an edit token may be able to modify or delete the associated snippet.
The API returns edit tokens, and later instructions use those tokens to update or delete snippets.
Response includes at least: { "id": "sk_...", "url": "https://pasteclaw.com/p/sk_..." , "editToken": "..." }Treat edit tokens and session keys as secrets; do not paste them into public content, URLs, logs, or shared chat messages.
Metadata may reveal what agent, tool, or task produced the paste, which could be sensitive in some workflows.
The optional metadata header can send model, tool, source, task, or version information to the provider.
Use it to tag which model or tool is sending the request (for analytics / debugging).
Keep metadata minimal and avoid putting private task details, user identifiers, or project names in the header.