Upstage Builder
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: upstage-builder Version: 1.0.0 The upstage-builder skill bundle is a legitimate developer tool designed to help AI agents scaffold, build, and deploy applications using Upstage's Solar LLM and document APIs. The bundle includes comprehensive documentation, functional examples for RAG and document processing, and utility scripts for project initialization (init_webapp_project.py) and documentation synchronization (refresh_references.py). The instructions in SKILL.md are well-aligned with the stated purpose, emphasizing security best practices such as using environment variables for API keys and preferring password-protected deployments. The scripts perform necessary file and network operations with appropriate safeguards, such as input slugification to prevent path traversal.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to provide an Upstage API key, and API use may count against your Upstage account limits or billing.
The skill requires a user-provided Upstage API key for its main functionality. This is expected for an Upstage integration, but it grants API account access and may consume account credits.
Always use `os.environ["UPSTAGE_API_KEY"]`. Never hardcode keys. Users get their key from console.upstage.ai.
Use a dedicated Upstage key with appropriate limits, keep it in environment variables, and avoid sharing it in generated code or logs.
Documents you choose for OCR, parsing, classification, or extraction may be uploaded to Upstage for processing.
The example sends a user-specified local document to Upstage for document parsing. This is purpose-aligned, but documents may contain sensitive content and leave the local environment.
requests.post("https://api.upstage.ai/v1/document-digitization", headers={"Authorization": f"Bearer {api_key}"}, files={"document": f}, ...)Only process files you are comfortable sending to Upstage, and review Upstage’s data handling policy for sensitive documents.
If you ask for a full web app, the agent may create a project and work toward a deployed, shareable URL rather than only providing code.
The skill can guide the agent beyond code generation into project creation and deployment. This is disclosed and aligned with full webapp requests, but deployment is a higher-impact action than local code generation.
For full webapp requests, do not stop at code generation. Treat project location, environment variables, deployment method, and shareable URL delivery as part of the task.
Confirm the project location, deployment provider, visibility mode, and any environment variables before allowing deployment.