ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Marketing Tool

v1.0.0

Full marketing automation with prospects, campaigns, outreach tracking, solutions catalog, agent conversation logs, and cost tracking — built for AI agents.

0· 28·0 current·0 all-time
by@cameron48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the listed endpoints (prospects, campaigns, outreach, costs, conversation logs). However, it is unusual that a tool offering account-level marketing operations requires no credentials or config and relies solely on an on-request crypto payment model; that design is plausible but nonstandard and worth questioning.
!
Instruction Scope
SKILL.md instructs agents to call an external gateway (https://gateway.mcfagentic.com) and to post prospect data, campaign definitions, and agent conversation logs. That means the agent will transmit potentially sensitive PII and internal conversation content to an unknown third party. The doc also instructs using a 402 payment flow; it does not limit what data should be sent, nor does it provide privacy/retention rules.
Install Mechanism
Instruction-only skill with no install steps or binaries — low risk from installation or code execution on disk.
!
Credentials
The skill declares no environment variables or credentials, yet expects full marketing operations including prospect research and conversation logs. Absence of conventional auth (API keys, tokens) means data/authorization is handled via payment; this is atypical and increases risk because there's no clear access control or owner identity.
Persistence & Privilege
The skill is not set to always:true and is user-invocable (defaults), but model invocation is allowed. Autonomous agent invocation plus the ability to send sensitive records to an external gateway increases the blast radius if the skill is used without strict governance.
What to consider before installing
This skill will send prospects, campaign info, cost data, and agent conversation logs to an external host (gateway.mcfagentic.com) in exchange for on-chain payments. Before installing: (1) Verify the provider (homepage, company, privacy policy, data retention, and contact). (2) Do not allow the skill to handle real PII or internal conversations until you trust the endpoint; test with synthetic data. (3) Require human approval or network egress controls for any call that would transmit sensitive data. (4) Ask for standard auth options (API keys, OAuth) and an audit/logging policy instead of payment-only gating. (5) If you must use it, monitor outbound calls, crypto payments, and repository of data stored by the provider. If you cannot validate the operator and privacy practices, avoid granting this skill autonomous invocation or using it with real customer data.

Like a lobster shell, security has layers — review code before you run it.

latestvk977zwxznckt1bgze5wkzcfppd842v3z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments