Naver Writer ACP
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Naver Blog publishing purpose, but it includes an internal admin dispatch fallback and persistent unpinned runner setup that users should review carefully.
Before installing, confirm you trust the external thin-runner package and the ACP execute URL, avoid setting ACP_ADMIN_API_KEY unless you intentionally need internal debugging, and make sure you understand any local background service the setup command installs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If admin credentials are present in the environment, a publish job may be sent through an internal/admin path instead of the marketplace offering path, bypassing normal scoped execution and billing/tracking controls.
The normal publish script can use ACP admin credentials to call a direct dispatch endpoint if the preferred offering execute URL is absent.
ADMIN_KEY_RAW="${ACP_ADMIN_API_KEY:-${ACP_CONTROL_PLANE_API_KEYS:-}}" ... "${CONTROL_PLANE_URL%/}/v2/jobs/dispatch-and-wait"Remove the admin fallback from the public skill or require a separate explicit debug command/flag with clear warnings, scoped credentials, and user confirmation.
Setup depends on code fetched or resolved outside this skill package, so the reviewed artifacts do not fully show what the thin runner will do during setup/login.
The setup flow executes an external npm package without a pinned version in the reviewed artifacts.
runner_cmd=(npx @y80163442/naver-thin-runner setup)
Pin the runner package version, document its provenance, and provide verification or lockfile information for users.
The local Naver thin-runner may continue operating as a background service after setup, which is expected for this workflow but should be visible to the user.
The setup command defaults to enabling auto-service behavior for the local runner, suggesting persistent background service configuration.
AUTO_SERVICE="${AUTO_SERVICE:-both}" ... runner_cmd+=(--auto-service "$AUTO_SERVICE")Document exactly what services are installed, how to stop or uninstall them, and consider making auto-service opt-in rather than the default.
The post content is sealed locally before submission, but job metadata and attestations are still shared with the configured ACP endpoint as part of publishing.
The publish flow sends runner attestation and sealed job payload data to an externally configured offering execute URL.
runner_attestation: identity.runner_attestation, sealed_payload: sealed.sealed_payload ... -d "$execute_body" "$OFFERING_EXECUTE_URL"
Use only trusted offering execute URLs, document what metadata is transmitted, and avoid configuring sensitive endpoints casually.