ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

biostartechnologylinkedin

v1.0.0

Write high-performing, persuasive, and authentic LinkedIn posts across any professional niche. Uses research-backed hooks, proven post structures, and Linked...

0· 114·0 current·0 all-time
byClayton Silva@claytonbernardodasilva
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md content matches the described purpose (creating LinkedIn posts, templates, hooks, and first-comment ideas). However, registry metadata (skill name 'biostartechnologylinkedin', owner ID, and version) does not match the embedded _meta.json (different ownerId, slug 'linkedin-post-engine', and a different version). This metadata mismatch is unexpected and should be explained by the publisher.
Instruction Scope
Runtime instructions are purely about drafting LinkedIn content: asking for audience, goal, proof, producing hooks/posts/variants. There are no instructions to read local files, access environment variables, or transmit data to third-party endpoints beyond a non-actionable link to linkedin.com.
Install Mechanism
Instruction-only skill with no install spec, no binaries, and no code files that would be written to disk. This is the lowest-risk install mechanism.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to its stated function (content generation).
Persistence & Privilege
always is false and the skill is user-invocable. disable-model-invocation is false (normal). The skill does not request elevated or persistent privileges.
What to consider before installing
This skill appears to genuinely implement a LinkedIn post-writing template and is instruction-only (lower technical risk). However, the package metadata contains inconsistencies (different owner ID, slug, and version inside _meta.json vs registry metadata). Before installing: 1) confirm the publisher identity and why metadata differs (could be a repackaging or mistake); 2) prefer installing only if you trust the publisher; 3) be cautious about later versions or add-ons that might request LinkedIn credentials or post-on-your-behalf access—do not supply OAuth tokens or passwords unless you verify the integration endpoint and permissions; 4) test generated outputs in a safe/sandbox account and avoid providing real client-sensitive data to the skill. If the publisher cannot explain the metadata mismatch, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk974fhvsz5tcy90pbzakc2zvpn8332r3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis

Comments