ClawHub

Telegram Marketing Audit Adarsh

v1.0.0

Handles Telegram /marketing_audit command by running a marketing audit on an Instagram handle or website domain and returning the report.

0· 226·1 current·1 all-time
byAdarsh More@adarshvmore
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the implementation: this is a Telegram slash-command handler that forwards the instagramHandle/websiteDomain to a 'marketing-orchestrator' skill and returns a report. There are no unrelated binaries or surprising actions in the handler itself.
Instruction Scope
SKILL.md contains only a short handler that validates args, replies to the user, and calls context.callSkill('marketing-orchestrator'). That scope is appropriate for a thin command handler. The handler delegates all collection and network work to the orchestrator, so the real behavior depends on that other skill.
Install Mechanism
Instruction-only skill with no install spec and no code files beyond a small handler snippet; nothing is downloaded or written to disk by this skill itself.
!
Credentials
The SKILL.md explicitly tells operators to "Ensure environment variables for collectors (API keys) are set," yet the registry metadata declares no required env vars. Because this skill delegates to an external 'marketing-orchestrator', required credentials are likely needed by that other skill — this mismatch (no declared env but a textual instruction to set keys) is a red flag: you should inspect the orchestrator to see exactly which secrets it needs.
Persistence & Privilege
No elevated persistence requested (always:false). Default autonomous invocation is allowed but appropriate for a user-invocable handler; the skill does not request cross-skill config writes or system-wide changes.
What to consider before installing
This handler itself is small and plausible, but it does not perform the audits — it calls a separate 'marketing-orchestrator' skill. Before installing: (1) locate and review the marketing-orchestrator skill's code/manifest to see what network/API calls and environment variables (API keys, tokens) it requires; (2) verify any requested API keys are minimal and only for services you expect (Instagram, analytics providers, etc.); (3) avoid providing broad credentials (AWS/GCP root keys, unrelated service tokens) unless you understand why they're needed; (4) register the Telegram slash command in a test environment first and run audits with dummy inputs to confirm behavior; and (5) prefer installing only if you can audit the orchestrator or it comes from a trusted source. If you cannot review the orchestrator, treat this skill as risky because it grants a pathway to whatever the orchestrator does.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eek420gryhgatwksgd1a53h82a3ex

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments