Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Contractor Marketing
v1.0.0AI marketing department for contractors and home service businesses. Use when the user needs help with SEO, Google Business Profile, social media, ad campaig...
⭐ 0· 25·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to manage many live integrations (Google Business Profile, Google Search Console, GA4, Meta Ads, SMS/email sending, etc.) but declares no required environment variables, credentials, or config paths for connecting to those services. That mismatch suggests the skill either cannot actually perform those live actions without additional secrets, or it expects to use other agent/global credentials (not declared).
Instruction Scope
Runtime instructions ask the agent to run a curl command against an external Supabase URL (including an API key) to pull strategy content, ask 35 onboarding questions (collecting PII such as business name, address, phone, license numbers, payment methods), save answers to workspace memory or MEMORY.md, and set up recurring cron tasks. The external call means user inputs or queries could be sent off-site; the onboarding questions collect sensitive business data which could be retained or transmitted.
Install Mechanism
No install spec or code files that execute on install — this is instruction-only, which minimizes installation-time code risk. There is no package download or binary installation declared.
Credentials
No required env vars are declared despite the skill describing functionality that normally needs many credentials (Google, Meta, email/SMS providers). Separately, the SKILL.md contains an embedded Supabase API key in clear text and a URL; embedding an API key in the instructions is unusual and could allow access to that external project. It's unclear whether that key is read-only/public or a privileged token and whether the endpoint will record queries (including any user-provided inputs).
Persistence & Privilege
always:false (normal) and user-invocable:true. The skill asks the agent to set up scheduled/cron tasks and to store onboarding answers in MEMORY.md or workspace memory — this implies ongoing state and recurring outbound activity, but there is no mechanism shown to actually create OS cron jobs. Users should consider how memory is stored and who can access it; the skill’s requests could result in persistent storage of business PII within the agent.
What to consider before installing
This skill reads and stores detailed business data (address, phone, license numbers, payment methods, employees) and instructs the agent to query an external Supabase endpoint using a hard-coded API key included in the SKILL.md. Before installing, ask the skill author: (1) what is the Supabase endpoint and what data is sent/retained there? Is that API key read-only/public (anon) or a privileged key? (2) Where and how is MEMORY.md/workspace memory stored and who can access it? (3) How does the skill actually connect to Google, Meta, SMS/email providers—what credentials will it request and how are they stored? If you require privacy for customer or business data, do not provide PII until you get clear answers and ideally a version of the skill that uses your own credentials (not an embedded key) and explicit consent for remote calls. If you proceed, limit sensitive inputs, confirm retention/retention period, and consider running the skill in a sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk970vqbpzwzqnmjg9rdmmygaas846gnt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.