Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Skills Weekly
v1.1.0OpenClaw Skills Weekly — tracks trending ClawHub skills, generates GitHubAwesome-style YouTube video scripts with two-track ranking (Movers + Rockets).
⭐ 0· 380·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the code fetches ClawHub API pages, stores snapshots, computes velocity, harvests READMEs, and uses an LLM (Anthropic) for script generation. Required binary (python3) and required env var (ANTHROPIC_API_KEY) align with the described functionality. Optional env vars (GITHUB_TOKEN, XAI_API_KEY, CLAWHUB_BASE_URL) are also justified by their stated uses.
Instruction Scope
SKILL.md instructs installing requirements and running the pipeline (discovery → snapshot → rank → harvest → script). It also documents a 'community' mode that uses web searches and an X/Twitter capture step — this expands network access but is consistent with the stated community-signal feature. The pipeline writes local files (SQLite DB, markdown, script text). No instructions request unrelated system secrets or broad file-system scraping. Note: the CLI suggests running docker exec for scheduled runs, which is normal for automation but will run the same code inside the gateway/container.
Install Mechanism
There is no formal install spec (instruction-only skill) and files are pure Python. The SKILL.md asks to run pip install -r requirements.txt; installing third‑party Python packages is expected but always worth reviewing. No downloads from suspicious URLs or archive extraction are present in the manifest.
Credentials
Only one required environment variable is declared (ANTHROPIC_API_KEY), which is appropriate for the LLM script-generation step. Other environment variables are optional and have clear justifications (GITHUB_TOKEN for fetching READMEs, XAI_API_KEY for optional X capture, CLAWHUB_BASE_URL for testing). No unrelated cloud or system credentials are required.
Persistence & Privilege
always:false (normal). The skill creates and writes to a local SQLite DB and a workspace data directory; it also can write to a host mount path (/mnt/host/skills-weekly) if available or when HOST_OUTPUT_DIR is set. This is consistent with a reporting pipeline but you should be aware it persists data to disk and may expose outputs to host mounts if the container is mounted.
Assessment
This skill appears to do exactly what it says: fetch public ClawHub data, record snapshots to a local SQLite DB, optionally fetch READMEs, compute rankings, and call Claude (Anthropic) to generate scripts. Before installing/run: 1) inspect requirements.txt to ensure no unexpected packages are installed; 2) keep your ANTHROPIC_API_KEY secret and provide it only if you want LLM script generation (without it the pipeline skips the LLM step); 3) set SKILLS_WEEKLY_DATA and HOST_OUTPUT_DIR if you want to control where the DB and reports are stored (the default can write to a host mount if present); 4) if you don't want social capture, run with --skip-x or omit XAI_API_KEY; 5) consider running in an isolated container or VM and run the pipeline in snapshot-only mode first to observe behavior before enabling network-intensive modes. If you want extra assurance, review script_generator.py to confirm the Anthropic client uses the expected API endpoints and that no unexpected remote endpoints are contacted.Like a lobster shell, security has layers — review code before you run it.
analyticsvk97bwm2s45d70jv73evcd31t7n823xt4latestvk97bwm2s45d70jv73evcd31t7n823xt4productivityvk97bwm2s45d70jv73evcd31t7n823xt4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvANTHROPIC_API_KEY