Upstage Builder
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to provide an Upstage API key, and API use may count against your Upstage account limits or billing.
The skill requires a user-provided Upstage API key for its main functionality. This is expected for an Upstage integration, but it grants API account access and may consume account credits.
Always use `os.environ["UPSTAGE_API_KEY"]`. Never hardcode keys. Users get their key from console.upstage.ai.
Use a dedicated Upstage key with appropriate limits, keep it in environment variables, and avoid sharing it in generated code or logs.
Documents you choose for OCR, parsing, classification, or extraction may be uploaded to Upstage for processing.
The example sends a user-specified local document to Upstage for document parsing. This is purpose-aligned, but documents may contain sensitive content and leave the local environment.
requests.post("https://api.upstage.ai/v1/document-digitization", headers={"Authorization": f"Bearer {api_key}"}, files={"document": f}, ...)Only process files you are comfortable sending to Upstage, and review Upstage’s data handling policy for sensitive documents.
If you ask for a full web app, the agent may create a project and work toward a deployed, shareable URL rather than only providing code.
The skill can guide the agent beyond code generation into project creation and deployment. This is disclosed and aligned with full webapp requests, but deployment is a higher-impact action than local code generation.
For full webapp requests, do not stop at code generation. Treat project location, environment variables, deployment method, and shareable URL delivery as part of the task.
Confirm the project location, deployment provider, visibility mode, and any environment variables before allowing deployment.