Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dfw Content Calendar
v1.2.1Generate 7- or 30-day structured social media calendars with hooks, body copy, CTAs, and hashtags tailored by niche, platform, and audience.
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and functionality (generate 7/30-day calendars) match the code and instructions: it uses an LLM backend to produce copy, supports demo/no-API mode, and exposes CSV/JSON output. Requesting an LLM API key (Anthropic) is reasonable for the premium features. However the registry header provided to you lists no required env vars or binaries while SKILL.md and generate_calendar.py clearly require an LLM backend and declare ANTHROPIC_API_KEY and python3 — this metadata mismatch is unexpected.
Instruction Scope
SKILL.md runtime instructions stay on task (generate calendars, support demo/local mode, compliance checks, CSV export, read past-results JSON). The code implements a zero-cost demo mode and a compliance-word check. There are no instructions to read unrelated system files or exfiltrate arbitrary data. The code does probe a local health endpoint (http://localhost:8800/health) to detect a local LLM proxy.
Install Mechanism
There is no remote download of arbitrary archives and the code is included. SKILL.md contains an install spec that lists an 'uv' package: anthropic (presumably a package install), which is reasonable but slightly unusual in format. The registry summary you received said 'No install spec' while SKILL.md includes one — this inconsistency should be resolved. No suspicious external URLs or obfuscated installers were found in the provided files.
Credentials
The runtime expects an LLM backend and SKILL.md/metadata declare ANTHROPIC_API_KEY as primaryEnv (used for premium runs). That credential is proportionate to the skill's purpose. The concern is that the top-level registry metadata you were shown omitted this requirement entirely — meaning a user could install unaware they'll need to provide an API key. Confirming the skill's declared required envs in the registry/installation UI before handing over keys is necessary.
Persistence & Privilege
The skill does not request permanent 'always: true' presence, does not modify other skills, nor require system-wide config paths. Autonomous invocation (disable-model-invocation=false) is the platform default and is not by itself a red flag here.
What to consider before installing
This skill's code and SKILL.md implement a legitimate content-calendar generator that uses an LLM backend. Before installing: (1) verify the registry/installation page correctly lists ANTHROPIC_API_KEY and python3 — the package metadata you were shown omits these; (2) prefer running the --demo mode first (no API key required) to validate output locally; (3) if you enable premium features, only provide an ANTHROPIC_API_KEY you trust and understand that network calls will go to the Anthropic client (or a local LLM proxy if you set LLM_BACKEND=local); (4) inspect or run the included generate_calendar.py in a safe environment to confirm behavior (it checks http://localhost:8800/health and falls back to Anthropic); (5) ask the publisher to clarify the install spec format (the 'uv' install entry looks nonstandard) and confirm there are no hidden endpoints or extra environment variables. The primary risk here is metadata inconsistency (surprise API-key requirement) and an unusual install description — not clear malicious behavior, but verify before providing credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk973kefta03800rd00s4zvrt3x83svr4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.