ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Customer Research & Validation

v0.1.0

Conducts in-depth customer research by mining forums, generating surveys and interviews, scraping competitor reviews, and analyzing sentiment to validate mar...

0· 73·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts, docs, and CLI wrapper align with the described functionality (Reddit/forum mining, survey/interview generation, persona validation, competitor scraping). However the SKILL.md and README refer to using 'OpenClaw LLM access for sentiment analysis' while the skill declares no required credentials or primaryEnv; similarly competitor scraping mentions future browser automation (Playwright) for sites like G2/Trustpilot but no explicit runtime requirements are declared. These are minor coherence gaps (expected behavior but not fully documented in manifest).
Instruction Scope
Runtime instructions are explicit about what will be done: crawling Reddit/public JSON, scraping review sites, writing JSON/markdown to local paths (data/research/, projects/...). The SKILL.md and scripts direct the agent to gather community text and store results locally. This scope is consistent with the purpose, but the docs instruct running recurring jobs (cron) and updating project files, which broadens scope of file writes—users should review where outputs are stored and any automation hooks before use.
Install Mechanism
The registry lists no formal install spec (instruction-only), which is low risk. The repository includes setup.sh and a Python requirements.txt; running setup.sh would write to disk and install dependencies. No remote downloads from obscure URLs were listed in the manifest excerpts, but any install should be inspected before executing setup.sh or pip installs.
!
Credentials
The skill references use of the OpenClaw LLM for sentiment analysis and (optionally) Reddit API access, browser automation, and future APIs, but the manifest declares no required environment variables or primary credentials. That is a discrepancy: if you enable authenticated Reddit API use, or if the LLM requires an API key or a webhook, those credentials will be needed but are not declared. Treat any prompts to supply API keys or tokens as significant—only provide them if you trust the source and inspect the code paths that use them.
Persistence & Privilege
The skill is not force-enabled (always: false), and it does not request elevated platform privileges in the manifest. It writes outputs to local project directories per the documentation, which is expected for a research tool. Autonomous invocation is allowed by default (normal), so consider limiting autonomous runs if you worry about automated scraping or exfiltration.
What to consider before installing
This package appears coherent with its stated goal (mining communities, scraping reviews, generating surveys/interviews) but exercise caution before running it: 1) Inspect setup.sh and any scripts for network calls (look for curl, requests, sockets, or any hardcoded remote endpoints) and for any calls that post data externally. 2) Search scripts for invocations of LLM/CLI tools (e.g., openclaw/chat, external API endpoints). Because the manifest does not declare credentials, verify where you would need to provide API keys (Reddit, Playwright-driven sites, or an LLM) and assess whether those keys are necessary. 3) Run the scripts in a sandbox or isolated environment (container or VM) first, with no sensitive credentials mounted, until you confirm behavior. 4) If you plan scheduled/cron runs, ensure outputs are written to a controlled directory and that retention/archival behavior (90 days) is acceptable. 5) If you want a stronger assurance, share the contents of setup.sh and the top-level network-related sections of reddit-miner.py and competitor-scraper.py for focused review—if those files include obfuscated code, undocumented endpoints, or credential exfiltration, my assessment would escalate.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dt3p0tje18nt65k3sm6qxks83cz43

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments