Content Generation
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: content-generation Version: 1.0.0 The skill bundle defines a 'content-generation' skill. The `_meta.json` contains standard metadata. The `SKILL.md` describes the skill's purpose, capabilities, and usage. It declares requirements for `curl`, `jq`, `git` binaries and the `BRAVE_API_KEY` environment variable, and installs the `axios` npm package. While these tools provide network and file system access capabilities, they are plausibly needed for a content generation skill (e.g., fetching data from APIs, processing JSON, potentially interacting with content repositories). There is no evidence of prompt injection attempts, malicious instructions, data exfiltration, or any other intentional harmful behavior within the provided files. The content is purely descriptive and aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use the user's Brave API quota or search access when researching content.
The skill requires an external API key. This is credential-like access, but it is disclosed and fits the skill's research, fact-checking, and SEO functions.
env: ["BRAVE_API_KEY"]
Use a limited, revocable Brave API key and monitor usage; do not provide unrelated credentials.
If used during research, the agent could run network or git-related commands, so users should review any proposed command activity.
The skill requires general-purpose network, JSON-processing, and source-control tools. The artifacts do not show destructive commands, but these tools are broader than simple text generation.
bins: ["curl", "jq", "git"]
Allow command use only when it is clearly tied to the requested content task, and avoid granting access to private repositories unless needed.
Installing the skill may pull code from the npm package ecosystem, which can change over time if not pinned.
The skill installs an npm package despite being instruction-only. This is disclosed and not evidence of malicious behavior, but it introduces an external dependency.
node | package: axios | creates binaries: axios
Verify the package source and version before installation, and prefer pinned dependencies or an isolated environment.