Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Toingg Ops Toolkit
v1.0.1Automate Toingg ops by creating campaigns, scheduling daily analytics, converting Excel contacts, uploading lists, and sending WhatsApp template messages.
⭐ 0· 422·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The scripts and SKILL.md coherently implement Toingg campaign, contact, analytics, and WhatsApp template workflows. However the registry metadata lists no required environment variables or primary credential while both the SKILL.md and every script require a TOINGG_API_TOKEN bearer token. The missing declaration is an inconsistency that reduces transparency.
Instruction Scope
Runtime instructions are narrowly scoped to building payloads, calling Toingg API endpoints, converting Excel to JSON, and optionally scheduling a daily cron. The instructions reference storing payloads/analytics in version control or shared storage and instruct ensuring TOINGG_API_TOKEN is exported to the gateway for cron jobs — this is expected for the functionality but raises an operational caution about token exposure to scheduled environments.
Install Mechanism
No install spec is provided (instruction-only skill with shipped scripts). Dependencies are minimal and explicit in SKILL.md (requests, openpyxl). There are no downloads from arbitrary URLs or archive extraction steps.
Credentials
All networked scripts require a single bearer token (TOINGG_API_TOKEN). That is proportionate to the API interactions, but the token requirement is not declared in the skill metadata. The analytics-cron guidance instructs relying on gateway environment inheritance, which could expose the token to scheduled jobs or other components if not configured carefully.
Persistence & Privilege
The skill does not request always:true and contains no code that modifies other skills or system-wide settings. It suggests creating an 'openclaw cron' job only when explicitly requested. Autonomous invocation is allowed by default (normal), so consider the earlier token-access inconsistency when enabling automated runs.
What to consider before installing
This package largely does what it says — scripts call a Toingg API and convert/upload contacts — but the published metadata failed to declare the required TOINGG_API_TOKEN and the publisher/homepage are missing. Before installing or enabling this skill: 1) Treat TOINGG_API_TOKEN as a secret; do NOT commit it to git or expose it in world-readable cron jobs. 2) Confirm the API domain (prepodapi.toingg.com) is the expected endpoint for your account. 3) If you plan to enable the analytics cron, set up the cron in an environment with only the minimal token and permissions needed. 4) Prefer to run these scripts from an isolated account/workspace and review the scripts yourself (they are small and readable). 5) Ask the publisher for provenance (who maintains the skill, a homepage or repo) or reject if you cannot verify the source. The main technical fix that would increase trust: the skill registry metadata should list TOINGG_API_TOKEN as a required credential and include publisher/contact information.Like a lobster shell, security has layers — review code before you run it.
latestvk979m1qjdnr498aq8s7y1m7njn81xm20
License
MIT-0
Free to use, modify, and redistribute. No attribution required.