ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Media Analyzer

v2.1.1

Social media campaign analysis and performance tracking. Calculates engagement rates, ROI, and benchmarks across platforms. Use for analyzing social media pe...

1· 1.9k·18 current·18 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the provided artifacts: SKILL.md, example input/output, benchmark reference, and two Python scripts that calculate metrics, ROI, and recommendations. The code and instructions are consistent with a social media analytics tool — no unrelated binaries, credentials, or external services are requested.
!
Instruction Scope
SKILL.md instructs running the included Python scripts and defines metrics and value tables. However, the runtime behavior diverges from the documentation and expected output: calculate_engagement_rate (per-post) includes saves in engagements, but calculate_campaign_metrics (campaign totals) omits saves when summing total_engagements, causing avg_engagement_rate and ROI to be computed from inconsistent totals. Also, SKILL.md lists per-action monetary values but scripts use a single avg_value_per_engagement = 2.50 rather than computing value from per-action values. These inconsistencies will produce different numbers than the documentation/expected_output and may silently mislead users.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts). Nothing is downloaded or installed automatically; the risk surface is limited to running the included Python code locally.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The Python scripts do not reference environment secrets or network endpoints; they operate on provided JSON input only.
Persistence & Privilege
The skill does not request persistent/autonomous privileges (always: false). It does not modify other skills or system-wide settings based on the provided files.
What to consider before installing
This skill is not showing malicious behavior, but it has implementation/documentation mismatches that can produce incorrect metrics. Before trusting results: (1) Run the included scripts locally with the provided assets/sample_input.json and compare to assets/expected_output.json to reproduce differences. (2) Inspect and fix calculate_metrics.calculate_campaign_metrics: it currently sums likes+comments+shares but omits saves, while per-post engagement includes saves — add saves to total_engagements to align totals. (3) Decide whether ROI should use per-action values from SKILL.md (likes $0.50, comments $2, etc.) or a flat avg_value_per_engagement; if using per-action values, change calculate_roi_metrics to compute estimated_value = likes*$0.50 + comments*$2 + ... for accurate ROAS. (4) Verify benchmark units are consistent (both docs and code use percent values) and that string formatting doesn't mislead (e.g., numeric values vs percent strings). (5) Because the skill runs Python code, only run it on non-sensitive data until you audit it; no external network calls are present, but you should still review the code before executing in a sensitive environment. If you want, I can produce the concrete code patches to correct the omissions and align ROI calculation with the documented per-action values.

Like a lobster shell, security has layers — review code before you run it.

latestvk976p3b24mwjhpwzdsa3113p9582jw17

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments