ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Marketing Agent

v1.0.0

Automatisiert Content erstellen, posten und Engagement tracken für PawArtis, Trading Signale und Freelance Services auf TikTok, Instagram, Telegram und Website.

0· 69·0 current·0 all-time
by@bwtomekk-bit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and SKILL.md align on a marketing automation goal (content planning, creation, posting, tracking). However, the skill declares no required credentials, APIs, or install steps even though programmatic posting and engagement tracking normally require platform credentials or integrations. That absence is an unexplained gap: either the skill is intended as a planner (no automation) or it expects to request credentials at runtime — this should be clarified.
Instruction Scope
SKILL.md is high-level and stays within marketing tasks (plan, create, prepare, track). It does not instruct reading local files or environment variables, nor does it name specific endpoints. But it is vague: "track engagement" and "post" give the agent broad discretion about how to obtain analytics or publish content. Vague/open-ended instructions can lead to the agent prompting for or requesting access to unrelated data or credentials at runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files. Low install-surface risk because nothing is written to disk by the skill package itself.
!
Credentials
The declared requirements list no environment variables, secrets, or primary credential. That is disproportionate to the stated capability of automated posting and analytics retrieval, which normally require OAuth tokens or API keys for each platform. The lack of declared credentials either means the skill cannot perform automated posting/tracking, or it will ask for or expect credentials at runtime — a behavior that should be explicit and justified.
Persistence & Privilege
Skill does not request persistent/always-on presence (always: false) and does not declare elevated privileges. It is user-invocable and can be called by the agent normally; nothing in the metadata suggests system-level persistence or modification of other skills.
What to consider before installing
This skill's intent (plan, create, schedule posts, and track engagement) is reasonable, but it is vague about how it will connect to TikTok, Instagram, Telegram, and your website. Before installing or using it: - Ask the publisher how it will authenticate to each platform (OAuth, API keys, or manual export) and whether it stores credentials. Do not hand over full account passwords to an unknown skill. - Require least-privilege tokens (scoped API keys / OAuth with limited scopes) and prefer revocable tokens. Test with a throwaway account first. - Clarify whether the skill will post autonomously or only prepare drafts for manual approval; autonomous posting requires stronger trust. - Ask where analytics data and any stored drafts or credentials are saved, for how long, and who can access them. - If the skill asks at runtime for files, shell access, or system credentials, treat that as a red flag. Given the unknown source and the mismatch between claimed capabilities and declared requirements, proceed cautiously — treat this as a planning/advice-only tool unless the author provides explicit, secure integration details.

Like a lobster shell, security has layers — review code before you run it.

latestvk971169k0nve9dh779qfy4dnph83d9xt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments