ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ProductClank — Community-Powered Growth

v1.0.0

Community-powered growth for builders. Boost amplifies your social posts with authentic community engagement (replies, likes, reposts). Discover finds releva...

0· 106·0 current·0 all-time
by@0xcovariance
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is a ProductClank/Communiply agent integration and legitimately needs an API key to call ProductClank endpoints. However, the registry metadata lists no required environment variables while the SKILL.md, README, examples, and scripts all reference PRODUCTCLANK_API_KEY (pck_live_...). That mismatch is incoherent: either the skill should declare PRODUCTCLANK_API_KEY as required, or the runtime docs are misleading.
!
Instruction Scope
The SKILL.md and examples instruct the agent to search products, create campaigns, generate posts, and call endpoints that require a bearer API key. They also document a self-registration flow (POST /agents/register) that returns an API key instantly and a linking flow to bind an agent to a human account. These instructions are within the stated purpose, but they grant the agent a clear path to obtain and use credentials autonomously (self-register → get API key → act). The skill references environment variables (PRODUCTCLANK_API_KEY) even though they aren't declared in the registry metadata.
Install Mechanism
No install spec; instruction-only plus a simple helper script. No downloads or archives. Low installer risk.
!
Credentials
The skill requires an API key to operate (numerous examples and the create-campaign script read process.env.PRODUCTCLANK_API_KEY), but the registry entry lists no required env vars. The API key access is proportionate to the functionality, but the registry omission is a significant coherence gap. The docs also reference on-chain payments (USDC on Base) and agent billing flows; these are not represented as required config or credentials in the registry metadata.
Persistence & Privilege
always:false (normal) and the skill does not request system-wide persistence. However, the documented ability for agents to self-register and obtain an API key autonomously (and to operate as 'autonomous agents' that can bill/consume credits) increases operational risk if the agent is allowed to act without explicit human confirmation. This is not automatically disqualifying but worth noting.
What to consider before installing
What to consider before installing: - The skill's runtime docs and scripts expect an API key in PRODUCTCLANK_API_KEY, but the skill listing does not declare any required env vars. Confirm with the publisher: do you need to set PRODUCTCLANK_API_KEY? The mismatch could be a packaging/metadata bug or an intentional omission. - The files reference multiple API hostnames (app.productclank.com vs api.productclank.com). Verify the correct endpoints with the vendor before supplying credentials. - The SKILL.md documents a self-register flow that returns an API key instantly. If you allow the agent to run autonomously, it could register itself and obtain credentials without explicit human approval, then create campaigns and consume credits. If you are not comfortable with that, do not enable autonomous invocation or provide the key. - Only provide an API key you trust and can revoke. Prefer creating a limited-scope/test key or linking the agent to an owner account (per docs) rather than granting full live credentials. - If you need higher assurance: request the publisher to correct the registry metadata to declare PRODUCTCLANK_API_KEY as required, unify the documented API hostnames, and confirm whether agent self-registration should be allowed by default. If the publisher is unknown or cannot confirm, avoid installing or run in a restricted/test environment first.
scripts/create-campaign.mjs:18
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975jhv8y39ec40nykpr20jbes832rsw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments