Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Launch Blitz
v1.0.0Automatically formats, submits, and tracks your product launch across 21 major startup directories with tailored listings and status monitoring.
⭐ 0· 31·0 current·0 all-time
byzinou@casperzinou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is to auto-format, submit, and track listings across 21 platforms. However, SKILL.md and the package.json list no integration methods (APIs, endpoints, or automation tools) and the manifest declares no credentials or env vars. Many listed platforms (e.g., ProductHunt, Betalist, Hacker News, X) require authenticated accounts or platform-specific submission flows — the required access is missing, so the declared capability is disproportionate to the provided requirements.
Instruction Scope
Runtime instructions are high-level and open-ended ('Run the launch blitz'; 'Your AI will ask...') but give no safe, constrained procedure for performing submissions. They don't specify whether submissions are done via official APIs, web automation, or manual guidance. That vagueness can cause the agent to (a) ask the user for account credentials or cookies, (b) instruct local browser automation, or (c) send data to unspecified endpoints — any of which increases risk.
Install Mechanism
There is no install spec and no code files to execute beyond the SKILL.md and a minimal package.json. This reduces risk from downloaded/embedded binaries. However, because it's instruction-only, the agent's runtime behavior will depend entirely on the agent environment and available tools (browser, HTTP client, automation), which is not described.
Credentials
The manifest declares no required environment variables or primary credential, yet the skill's tasks inherently require account credentials or API keys for multiple third-party services. The absence of declared credential requirements is disproportionate and ambiguous — the agent may solicit credentials interactively or ask users to paste tokens into chat, which is risky.
Persistence & Privilege
The skill is not marked 'always:true' and uses normal autonomous invocation settings. It does not request system-level persistence or configuration changes in the manifest. That said, because instructions are open-ended, the agent could be instructed to store credentials or logs elsewhere if the user provides them — the manifest does not authorize or describe any storage behavior.
What to consider before installing
This skill's goal (automated multi-platform submission) reasonably requires platform accounts, APIs, or browser automation, but the skill provides none of those details. Before installing or using it, ask the author: which integration methods are used for each platform (API vs manual web form), how authentication is handled (OAuth/app tokens vs passwords), and where/if credentials are stored. Do not paste account passwords into chat — prefer short-lived API tokens or OAuth redirects. If you plan to test it, use throwaway accounts and a dummy product. If the author cannot supply concrete integration docs or a safe auth flow, treat the skill as risky and avoid giving it real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97ecvpyc5aaebc8kte64v7nz184vfeh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.