Upstage Builder
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent Upstage API builder, but users should notice that it uses an Upstage API key, can upload selected documents to Upstage, and may scaffold/deploy web apps.
This skill appears suitable for building Upstage-based apps and workflows. Before installing or using it, be ready to provide an UPSTAGE_API_KEY, confirm any deployment target such as Vercel, and avoid uploading documents that should not be processed by Upstage.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to provide an Upstage API key, and API use may count against your Upstage account limits or billing.
The skill requires a user-provided Upstage API key for its main functionality. This is expected for an Upstage integration, but it grants API account access and may consume account credits.
Always use `os.environ["UPSTAGE_API_KEY"]`. Never hardcode keys. Users get their key from console.upstage.ai.
Use a dedicated Upstage key with appropriate limits, keep it in environment variables, and avoid sharing it in generated code or logs.
Documents you choose for OCR, parsing, classification, or extraction may be uploaded to Upstage for processing.
The example sends a user-specified local document to Upstage for document parsing. This is purpose-aligned, but documents may contain sensitive content and leave the local environment.
requests.post("https://api.upstage.ai/v1/document-digitization", headers={"Authorization": f"Bearer {api_key}"}, files={"document": f}, ...)Only process files you are comfortable sending to Upstage, and review Upstage’s data handling policy for sensitive documents.
If you ask for a full web app, the agent may create a project and work toward a deployed, shareable URL rather than only providing code.
The skill can guide the agent beyond code generation into project creation and deployment. This is disclosed and aligned with full webapp requests, but deployment is a higher-impact action than local code generation.
For full webapp requests, do not stop at code generation. Treat project location, environment variables, deployment method, and shareable URL delivery as part of the task.
Confirm the project location, deployment provider, visibility mode, and any environment variables before allowing deployment.