Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Blog Cross-Publisher Lite
v1.0.0Publish markdown articles to Dev.to via their REST API. Use this skill whenever the user wants to publish a blog post or article to Dev.to.
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the instructions consistently describe publishing Markdown to Dev.to, which is coherent. However, the SKILL.md explicitly requires a Dev.to API key while the skill metadata declares no required credentials or primaryEnv, and no code files are included despite referencing a 'scripts/publish_devto.py' script. That mismatch (stated need for a secret but not declared, plus a referenced script that doesn't exist in the bundle) is inconsistent with the stated purpose.
Instruction Scope
The SKILL.md gives narrow, well-scoped runtime instructions: parse a Markdown file, construct a JSON payload, and POST to https://dev.to/api/articles with the api-key header. It does not instruct reading unrelated system files. The practical problem: it instructs running a local Python script at scripts/publish_devto.py, but there is no script in the package — so the agent or user would need to supply or fetch that code, which expands the actual behavior beyond what's bundled.
Install Mechanism
There is no install spec and no code files, which is low risk on its own. However, because the instructions reference an external script that is not provided, an operator/agent may attempt to obtain or generate that script elsewhere; that missing artifact is an operational gap to resolve before trusting the skill.
Credentials
The SKILL.md requires a Dev.to API key (sensitive credential) but the skill metadata declares no required environment variables or primary credential. This is an incoherence: a credential is needed for the task but is not declared. Also, the example shows passing the API key on the command line (python ... --api-key YOUR_API_KEY), which can leak the key in shell history or process listings — a security consideration the instructions do not address.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence. Agent autonomy is enabled by default (disable-model-invocation: false) but that is normal and not by itself concerning here.
What to consider before installing
This skill appears to describe a simple Dev.to publisher, but there are two practical inconsistencies you should resolve before using it: (1) SKILL.md says you need a Dev.to API key but the metadata doesn't declare any required credential — treat this as a missing/undeclared secret requirement; (2) the instructions call a local script (scripts/publish_devto.py) that is not included in the skill package. Do not paste your API key into a command line until you have reviewed the publishing script's source or obtained it from a trusted origin. Prefer providing the API key via a secure environment variable or prompting rather than as a CLI argument (to avoid shell-history/process-list exposure). Ask the publisher for the missing script or supply your own implementation that calls https://dev.to/api/articles, and verify its code before running. If you cannot validate the script or source, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
blogvk97a7xnt33bgh7qpnas9dvce01843h5aclaude-skillsvk97a7xnt33bgh7qpnas9dvce01843h5acontent-marketingvk97a7xnt33bgh7qpnas9dvce01843h5across-postingvk97a7xnt33bgh7qpnas9dvce01843h5adevtovk97a7xnt33bgh7qpnas9dvce01843h5ahashnodevk97a7xnt33bgh7qpnas9dvce01843h5alatestvk97a7xnt33bgh7qpnas9dvce01843h5amediumvk97a7xnt33bgh7qpnas9dvce01843h5a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.