Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cc Clean
v1.0.0Generate 7- or 30-day structured social media calendars with varied hooks, body copy, CTAs, and hashtags tailored by niche, audience, and platform.
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate content calendars and the declared dependency on an LLM key (ANTHROPIC_API_KEY) and Python is plausible for that function. However, the outer registry metadata lists no required env or install, while SKILL.md embeds requirements (ANTHROPIC_API_KEY, python3, and an 'install' entry). The mismatch between manifest and SKILL.md is unexplained.
Instruction Scope
SKILL.md shows runtime usage calling python3 generate_calendar.py with many flags, plus CSV output and a demo mode. No code files (generate_calendar.py) are included in the skill bundle, so the instructions reference files that are not present. That inconsistency could cause failures or lead the agent to attempt to fetch or create code at runtime; the instructions do not reference any other system files or unrelated credentials.
Install Mechanism
The registry-level metadata indicated 'No install spec' and no code files, but SKILL.md contains an install stanza (kind: uv, package: anthropic). 'uv' is not a standard, well-known installer label in this context and no further detail is provided. Because there is no archive/download URL and no code shipped with the skill, the install risk is currently low-but-uncertain; you should confirm what 'uv' means and whether the package will be fetched from a trusted registry.
Credentials
SKILL.md declares a single required secret (ANTHROPIC_API_KEY) as primaryEnv, which is appropriate for an LLM-based content generator. But the top-level registry metadata earlier in the manifest claimed no required env vars — another inconsistency. No other secrets or unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not declare config paths, and does not ask to modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation: false) is the platform default and not flagged by itself.
What to consider before installing
This skill looks like a typical LLM-backed content-generator, but there are mismatches between the registry metadata and the SKILL.md instructions (SKILL.md expects python3 generate_calendar.py and an Anthropic package, yet no code or install spec was included). Before installing or providing an ANTHROPIC_API_KEY: 1) Verify the upstream repository/homepage (SKILL.md lists https://github.com/dfw-area-house-hunt/openclaw-skills) and confirm the actual code and install steps. 2) Ask the author to provide the missing generate_calendar.py or a packaged release, and clarify what 'install: kind: uv' does. 3) Use a scoped or test Anthropic API key (with minimal billing/privileges) when trying the skill, and prefer using the --demo flag first (zero API calls) to validate behavior without sending data. 4) If you cannot confirm the source or the install steps, avoid supplying production API keys or secrets. If you want, I can draft questions to ask the publisher or attempt to fetch and inspect the referenced repo link for more details.Like a lobster shell, security has layers — review code before you run it.
latestvk97edkq3yk7g26xd6qyy7etcfh83rbsg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.