Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim a 'sync from cloud repo' capability which matches the SKILL.md reference to a GitHub repository. However, the packaged skill provides no code, no concrete sync implementation, and no declared dependencies — it essentially delegates all action to fetching external repo contents, which is an incomplete packaging choice.
Instruction Scope
The SKILL.md tells the agent to 'visit the cloud repo to get the full skill files and instructions' and allows Bash. This is vague and grants broad discretion: an agent could download and execute code from that external repo (or run arbitrary network/shell commands) even though no safe constraints, verification steps, or exact commands are provided.
Install Mechanism
There is no install spec (lowest-risk packaging), but the instructions explicitly point to an external GitHub repo as the source of runtime files. GitHub is a known host (not a shortener or personal IP), but because the skill relies on fetching code that is not bundled or vetted, the effective install mechanism is 'download-and-run' which raises risk unless the repo is inspected first.
Credentials
The skill requests no environment variables, credentials, or config paths. There is no apparent demand for unrelated secrets.
Persistence & Privilege
always is false and there is no indication the skill requests persistent system-wide changes or elevated privileges. It does, however, permit autonomous invocation (the platform default).
What to consider before installing
This skill package is incomplete: it only points to a GitHub repo and asks you to get the real files yourself. Before enabling it, inspect the referenced repository (https://github.com/anbeime/skill → skills/content-creation-publisher/) and review any scripts or binaries there. Do not allow the agent to autonomously download-and-execute remote code you haven't reviewed. If you must use it, either (1) vet and fork the repo, then install from your fork, or (2) restrict the agent's ability to run shell/network commands and only provide verified code/artifacts. If you can't review the repo or don't trust the source, avoid installing this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk971vvkde1vbfsb96rs7npgd9s823mvx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.