Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Viralevo
v0.1.0Self-evolving viral content trend advisor. Monitors 11 platforms, predicts what to post and when, and improves its own accuracy every week automatically.
⭐ 0· 222·0 current·0 all-time
by@0xf69
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (self‑evolving trend advisor monitoring 11 platforms) reasonably explains the need for node, python, and a Tavily API key, but the skill references many local scripts (node {baseDir}/scripts/*.js, python3 {baseDir}/scripts/*.py, db/init_db.py) and a weekly self‑evolution process that would require shipped code and scheduling. No code files are present in the bundle, so the requested binaries/credential cannot actually be used as described.
Instruction Scope
Runtime instructions tell the agent to run many local scripts, to write the Tavily API key into ~/.openclaw/workspace/.env, to initialize/modify a local DB, and to collect/verify user feedback. Those operations are fine for this purpose in principle, but the instructions assume files and directories ({baseDir}/scripts, db) that are not included — this is incoherent and would cause the agent to attempt running non‑existent code or to seek external sources.
Install Mechanism
Metadata lists a node install step to "Install npm dependencies (better-sqlite3, axios, dotenv)" but provides no package.json, repository tarball, or authoritative release URL to fetch code. better-sqlite3 is a native module that often requires build tools; the install spec as presented is insufficient and ambiguous, raising the risk that the agent would try to fetch or run code from an unspecified external source.
Credentials
Only TAVILY_API_KEY is declared as required and that aligns with the stated use of Tavily for searches. However the SKILL.md instructs storing the API key in the agent workspace file (~/.openclaw/workspace/.env), which may be acceptable but is less secure than a secret store. No other credentials are requested, which is proportionate.
Persistence & Privilege
The skill does not request always:true or system‑wide changes, and autonomous invocation is the default. The bigger issue is the claim of automatic weekly self‑evolution: SKILL.md describes an automated weekly review but provides no mechanism (cron, scheduler setup, or platform integration) to run weekly jobs, which is inconsistent with the bundle content.
What to consider before installing
This SKILL.md reads like the README for a full project but the skill bundle contains no code files. Before installing or enabling this skill: (1) check the GitHub homepage for the actual repository and verify it contains the referenced scripts, package.json, and install instructions; (2) do not paste your Tavily API key into ~/.openclaw/workspace/.env until you confirm where the code comes from and how it stores/secur es secrets; (3) if you expect automatic weekly runs, confirm who/what will schedule them and inspect that installer (cron/systemd/scheduler) and the code that performs self‑evolution; (4) be aware better-sqlite3 may require native build tools; (5) if the published skill package doesn't include the scripts, treat it as incomplete or possibly malicious and avoid installing it. If you want, I can list exact checks to perform on the GitHub repo (files to look for, package.json fields, scripts, and any release tarballs) to decide whether to trust it.Like a lobster shell, security has layers — review code before you run it.
latestvk979hkp2hezbtj841nf3p1b1eh82mqb3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binsnode, python3
EnvTAVILY_API_KEY
Primary envTAVILY_API_KEY
Install
Install npm dependencies (better-sqlite3, axios, dotenv)