ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content Moderation

Moderate text, images, and video using Vettly's content moderation API via MCP server.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.7k · 0 current installs · 0 all-time installs
byBrian Palmer@code-with-brian
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's declared purpose (moderating text/images/video via Vettly) matches the instructions in SKILL.md: it expects a VETTLY_API_KEY and uses an MCP server implementation. However, the registry metadata at the top of the package claims no required env vars or binaries while the SKILL.md (and its embedded metadata) explicitly require VETTLY_API_KEY and the npx binary. That metadata mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md stays focused on moderation tasks (list policies, validate policy YAML, moderate content, query usage/decisions). It does not instruct reading unrelated files or other environment variables, nor does it instruct sending data to endpoints outside Vettly/MCP. It does instruct using URLs for images/videos rather than raw binary uploads.
!
Install Mechanism
There is no formal install spec, but the runtime instructions tell you to run an MCP server via `npx -y @vettly/mcp`. That will fetch and run code from the npm registry at runtime. The package is not pinned to a specific version in the example, increasing supply-chain risk (you could fetch arbitrary future code). This is a moderate-risk pattern and worth auditing (pin versions, vet the package, run in isolated environment).
Credentials
The only credential required by SKILL.md is VETTLY_API_KEY, which is appropriate for a moderation integration. But the top-level registry metadata claims no required env vars or primary credential; SKILL.md's own embedded metadata lists VETTLY_API_KEY and npx. The mismatch between declared and actual required env vars/binaries is confusing and should be corrected. Ensure the API key has least-privilege and limited scope/rotation.
Persistence & Privilege
The skill does not request always:true, does not ask to modify other skills or system-wide config, and has no install step that writes persistent system files. It relies on an external MCP server process (via npx), which is normal for this pattern.
What to consider before installing
Things to check before installing/using: - Metadata mismatch: SKILL.md requires VETTLY_API_KEY and npx, but the registry metadata lists none — confirm the real requirements before proceeding. - API key scope: Use a VETTLY_API_KEY with the minimum permissions needed, rotate keys, and avoid putting long-lived high-privilege keys in shared places. - Supply-chain risk: The SKILL.md example runs `npx -y @vettly/mcp` without pinning a version. Prefer a pinned version (e.g., @vettly/mcp@1.2.3), review the package source, or run it in an isolated container to limit risk. - Audit the MCP package: Inspect @vettly/mcp source code (or vendor a reviewed version) to ensure it doesn't exfiltrate data or request additional secrets. - Data handling and privacy: Moderation sends user content (text, image/video URLs) to Vettly. Verify Vettly's data retention and privacy policies before sending sensitive content. - Operational controls: Monitor usage and costs (get_usage_stats can help), and restrict where image/video URLs point (avoid URLs that leak internal network resources or credentials). - If you need stronger assurance: ask the author/owner for corrected registry metadata, a pinned package version, and a reproducible deployment recipe (or provide your own vetted MCP server binary/image). Overall: the skill appears to do what it claims, but the metadata inconsistency and unpinned use of npx/npm introduce supply-chain and clarity concerns — review and harden those areas before enabling the skill in production.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9721h66q0ypbrjc156m8cd6b1808dwh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Content Moderation

Moderate user-generated content using Vettly's AI-powered content moderation API. This skill uses the @vettly/mcp MCP server to check text, images, and video against configurable moderation policies with auditable decisions.

Setup

Add the @vettly/mcp MCP server to your configuration:

{
  "mcpServers": {
    "vettly": {
      "command": "npx",
      "args": ["-y", "@vettly/mcp"],
      "env": {
        "VETTLY_API_KEY": "your-api-key"
      }
    }
  }
}

Get an API key at vettly.dev.

Available Tools

moderate_content

Check text, image, or video content against a Vettly moderation policy. Returns a safety assessment with category scores, the action taken, provider used, latency, and cost.

Parameters:

  • content (required) - The content to moderate (text string, or URL for images/video)
  • policyId (required) - The policy ID to use for moderation
  • contentType (optional, default: text) - Type of content: text, image, or video

validate_policy

Validate a Vettly policy YAML without saving it. Returns validation results with any syntax or configuration errors. Use this to test policy changes before deploying them.

Parameters:

  • yamlContent (required) - The YAML policy content to validate

list_policies

List all moderation policies available in your Vettly account. Takes no parameters. Use this to discover available policy IDs before moderating content.

get_usage_stats

Get usage statistics for your Vettly account including request counts, costs, and moderation outcomes.

Parameters:

  • days (optional, default: 30) - Number of days to include in statistics (1-365)

get_recent_decisions

Get recent moderation decisions with optional filtering by outcome, content type, or policy.

Parameters:

  • limit (optional, default: 10) - Number of decisions to return (1-50)
  • flagged (optional) - Filter to only flagged content (true) or safe content (false)
  • policyId (optional) - Filter by specific policy ID
  • contentType (optional) - Filter by content type: text, image, or video

When to Use

  • Moderate user-generated content (comments, posts, uploads) before publishing
  • Test and validate moderation policy YAML configs during development
  • Audit recent moderation decisions to review flagged content
  • Monitor moderation costs and usage across your account
  • Compare moderation results across different policies

Examples

Moderate a user comment

Moderate this user comment for my community forum policy:
"I hate this product, it's the worst thing I've ever used and the developers should be ashamed"

Call list_policies to find available policies, then moderate_content with the appropriate policy ID and return the safety assessment.

Validate a policy before deploying

Validate this moderation policy YAML:

categories:
  - name: toxicity
    threshold: 0.8
    action: flag
  - name: spam
    threshold: 0.6
    action: block

Call validate_policy and report any syntax or configuration errors.

Review recent flagged content

Show me all flagged content from the last week

Call get_recent_decisions with flagged: true to retrieve recent moderation decisions that were flagged.

Tips

  • Always call list_policies first if you don't know which policy ID to use
  • Use validate_policy to test policy changes before deploying to production
  • Use get_usage_stats to monitor costs and catch unexpected spikes
  • Filter get_recent_decisions by contentType or policyId to narrow results
  • For image and video moderation, pass the content URL rather than raw data

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…