Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dfw Content Calendar
v1.0.0Generate 7- or 30-day social media calendars with hooks, body copy, CTAs, and hashtags tailored by niche, audience, and platform in JSON or CSV formats.
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The described purpose (social media content calendars) matches the included script and SKILL.md behavior. However, registry metadata says no required env vars/binaries while SKILL.md frontmatter declares ANTHROPIC_API_KEY and python3 as required. Requiring an Anthropic API key is reasonable for LLM-backed generation, but the registry/manifest mismatch is incoherent and should be corrected.
Instruction Scope
SKILL.md and generate_calendar.py stay on-scope: they produce calendar JSON/CSV and include a zero-cost --demo mode that makes no API calls. The script will call external LLM backends (Anthropic or a local proxy) when not in demo mode, meaning user content is sent to third-party services. There are no instructions to read unrelated system files or exfiltrate host data in the visible code.
Install Mechanism
The skill is listed as instruction-only in the registry, but SKILL.md includes an install section (kind: uv, package: anthropic). 'uv' is not a standard well-documented installer label here and is ambiguous. The code also uses openai for a local backend path but the install does not declare an openai dependency. The install spec is minimal and not a high-risk remote download, but the mismatch and unclear installer kind are concerning.
Credentials
SKILL.md declares ANTHROPIC_API_KEY as primaryEnv (appropriate for API-backed LLM usage). The registry metadata however lists no required env vars — an inconsistency. The code also reads LLM_BACKEND and can import openai/anthropic; those environment expectations (LLM_BACKEND, possible OpenAI/local keys) are not fully documented in the registry. Requesting an Anthropic key is proportionate for LLM use, but the missing/undocumented envs and unclear fallback behavior create risk if users supply credentials without understanding where data will be sent.
Persistence & Privilege
The skill does not request persistent elevated privileges; 'always' is false and there is no evidence it modifies other skills or system-wide agent settings. Autonomy (disable-model-invocation=false) is the platform default — noted but not by itself a red flag.
What to consider before installing
This skill appears to implement the content-calendar functionality and includes a safe zero-cost --demo mode, but there are several inconsistencies you should resolve before installing or supplying credentials: 1) The registry metadata claims no required env vars/binaries, but SKILL.md requires ANTHROPIC_API_KEY and python3 — verify which is correct. 2) The code can call Anthropic (and attempts a local OpenAI proxy path) but the install only lists an ambiguous 'uv' install for 'anthropic' and doesn't declare an openai dependency — ask the author how to install dependencies and whether OpenAI/local backends are supported. 3) If you plan to run non-demo mode, understand that content (and any prompts/data you provide) will be sent to a third-party LLM (Anthropic or a local proxy); do not send sensitive or private data unless you trust the endpoint and have confirmed which API key/backends will be used. 4) Prefer using --demo for evaluation (zero API calls). 5) Ask the publisher to fix the registry metadata to list required env vars and install steps explicitly, and to clarify the 'uv' install kind and any other runtime environment variables (e.g., LLM_BACKEND).Like a lobster shell, security has layers — review code before you run it.
latestvk97916mwfbh2635agx5fahrvrn83rq23
License
MIT-0
Free to use, modify, and redistribute. No attribution required.