Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Content Summary
v1.0.0Short alias for content-search-summarization. Use this to search public content platforms, rank the top relevant items, and summarize them with links.
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the instructions: search public platforms, rank results, and summarize with links. That purpose is reasonable and aligns with the guidance in SKILL.md.
Instruction Scope
Instructions stay focused on public content and require capturing metadata and links. However the fallback instructs using Playwright to scrape result pages; that enables browser automation and arbitrary page access (potentially including interactive elements or pages that require authentication) even though the skill is supposed to target public pages only. The SKILL.md does include conservative summary rules, which is good, but it gives an agent power to open web pages without specifying limits (rate limits, login avoidance, or data handling rules).
Install Mechanism
There is no install spec (instruction-only), which minimizes footprint. But the document explicitly recommends 'opencli' and Playwright as runtime tools; those are not declared as required binaries or installed by the skill, creating an operational mismatch: the agent may need to install or have these tools available to implement the skill.
Credentials
The skill declares no required environment variables or credentials, yet it prefers 'opencli' (which for some platforms may require API keys) and falls back to Playwright scraping (which can access any public page and potentially sensitive data exposed in the browser context). The lack of declared API credentials or guidance about avoiding authenticated scraping is an incoherence and a potential risk.
Persistence & Privilege
The skill does not request persistent/always-on presence, does not modify configs, and is user-invocable only. No elevated persistence privileges are requested.
What to consider before installing
This skill appears to do what it says (search and summarize public content), but the runtime instructions mention tools (opencli, Playwright) that may require installation or API credentials that the skill does not declare. Before installing or enabling it: 1) confirm whether your agent environment already has opencli and/or Playwright and whether they require API keys (e.g., YouTube API) — if so, only provide credentials you trust and understand; 2) decide whether you want the agent to perform headless browser scraping (Playwright) — scraping can accidentally access interactive or authenticated content and increase privacy risk; 3) set clear limits (rate limits, avoid logins, and do not capture cookies or local data) if you let it run; and 4) monitor any prompts the agent makes to install tools or request secrets. If you need a fully auditable behavior, request an explicit install spec and declared environment variables from the skill author before enabling.Like a lobster shell, security has layers — review code before you run it.
latestvk97abq3w4abyggqaqry4fmz8ds845bnv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.