Artidrop
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Artidrop is a coherent publishing skill, but users should remember it sends chosen content to an external service and creates shareable links.
Before installing, be comfortable with an npm CLI publishing selected content to Artidrop. Do not use it for confidential material unless the visibility and account controls match your needs, and only configure an API key if you need authenticated management features.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything published may become accessible through a shareable URL, so sensitive or private material could be exposed if the user chooses the wrong content or visibility.
The skill discloses an external provider data flow for user-selected content; this is expected for publishing but matters because content leaves the local conversation/workspace.
The Artidrop CLI sends user-specified content to `api.artidrop.ai` over HTTPS when the user explicitly runs a publish command.
Only publish content the user explicitly wants hosted, review the content first, and choose the appropriate visibility setting.
If an API key is configured, the agent may be able to manage the user’s Artidrop artifacts, not just create anonymous one-off pages.
The skill can use an API key for authenticated account-level actions such as update, delete, and list; this is disclosed and purpose-related but expands authority.
"ARTIDROP_API_KEY", "optional": true, "description": "API key for authenticated features (higher rate limits, update/delete/list). Not required for anonymous publishing."
Configure the API key only if authenticated features are needed, and require clear user intent before updating or deleting artifacts.
The installed CLI package performs the actual publishing behavior, so users rely on the npm package’s integrity and updates.
The skill depends on installing and running an external npm package, which is expected for this CLI-based publishing workflow but means behavior depends on that package supply chain.
[0] node | package: artidrop | creates binaries: artidrop
Install from the intended package source, consider pinning or reviewing the package for sensitive environments, and keep the CLI updated from trusted channels.
A mistaken publish, update, or delete command could expose the wrong material or remove a hosted artifact.
The skill documents commands that can publish entire sites and, with authentication, delete artifacts. These are disclosed and aligned with the service, but they are impactful actions.
artidrop publish ./my-site/ --title "Portfolio" ... artidrop delete <artifact-id> --yes
Use these commands only after clear user request, confirm destructive actions such as delete, and verify paths/titles/visibility before publishing.