ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content Creator Assistant

v1.0.0

AI writing assistant using Reflection + Tree of Thoughts for high-quality content creation. Generates articles, blogs, and documentation with iterative refin...

0· 25·0 current·0 all-time
by@banxian87
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and code all describe a content-writing assistant (Tree of Thoughts + Reflection). The code implements those behaviors and does not request unrelated credentials or system access. However, the manifest/README claims 'instruction-only' while code files are present — this mismatch is unexpected but not itself dangerous.
!
Instruction Scope
SKILL.md usage and workflow stay within the declared purpose and do not instruct reading unrelated files or exfiltrating data. But there are inconsistencies: index.js requires './agents/tree-of-thoughts' and './agents/reflection' while the repository provides a single agents/content-agents.js file exporting TreeOfThoughtsAgent and ReflectionAgent. This broken import structure means the code as packaged will fail to run; it's unclear whether this is an accidental packaging bug or an incomplete/modified package.
Install Mechanism
No install spec is provided (instruction-only from the registry's perspective), which is low risk. The package does include code files and a package.json but no declared installation process; the SKILL.md includes an example 'clawhub install' command but no actual install manifest. The absence of an install script is coherent with low install risk, but the mismatch should be clarified.
Credentials
No required environment variables, binaries, or config paths are declared or used. The code does not read environment variables or call external endpoints directly — it relies on an injected llm object. This is proportionate to a content-generation skill.
Persistence & Privilege
Flags (always: false, user-invocable: true, disable-model-invocation: false) are normal for a user-invocable skill. The skill does not request permanent presence or attempt to modify other skills or system-wide settings.
What to consider before installing
This skill's functionality (content writing with Tree of Thoughts + Reflection) matches its description and it doesn't request secrets or network access by itself — good. However, the package has coherence issues: index.js imports './agents/tree-of-thoughts' and './agents/reflection' but the repository provides agents/content-agents.js (different paths/names), and SKILL.md implies 'instruction-only' despite code files being present. These problems will likely cause the skill to fail or be incomplete. Before installing or enabling this skill: 1) Inspect and run the code in a safe sandbox; 2) Ask the publisher to provide corrected/consistent files (or fix require paths to ./agents/content-agents.js); 3) If you plan to run it inside an automated agent, ensure the llm implementation you inject is trusted (the code delegates generation to an llm object, which could, in principle, perform network calls depending on its implementation); 4) Prefer not to grant it broad privileges or production access until the packaging/consistency issues are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tg38x4cdsmmeznssf9hrmn8425b2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments