ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Tracker Clean

v1.0.0

Track competitor social content across LinkedIn, X, and Instagram. Analyzes posting frequency, top-performing hooks, content pillars, and engagement patterns...

0· 47·0 current·0 all-time
by@drivenautoplex1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (tracking social posts across LinkedIn, X, Instagram) matches the SKILL.md goals. However the skill lists capabilities (multi-platform scraping/monitoring, Slack/Telegram alerts, paid tiers) but does not declare any credentials, API usage, or endpoints required to perform those actions — an incomplete mapping between claimed capabilities and required resources.
!
Instruction Scope
SKILL.md tells the agent to 'pull recent posts' and use 'web search' and internal NLP scorers/classifiers, but provides no concrete method (platform APIs vs. scraping), no constraints about rate-limits or platform terms, and no explicit handling of external delivery (Slack/Telegram alerts). The prose is open-ended and grants broad discretion to gather public content, which could lead to unintended scraping behavior or transmission of collected data to external services.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is written to disk by a provided installer because none exists.
!
Credentials
requires.env and primary credential are empty, yet the SKILL.md promises Slack/Telegram alerts and paid tiers; there is a mismatch between advertised integrations (which normally require tokens/API keys and payment endpoints) and the skill's declared environment/credentials. This is an unexplained inconsistency.
Persistence & Privilege
Defaults (always: false, model invocation enabled) are used. The skill does not request persistent/system-wide privileges or forced inclusion, so no additional privilege concerns from the manifest itself.
What to consider before installing
Before installing, ask the publisher for clarifications and insist on specifics: (1) How does the skill fetch social posts — which platform APIs or scraping methods? If scraping, will it respect platform terms of service and rate limits? (2) Where do paid subscriptions and reports live, who processes payments, and what data is retained? (3) How are Slack/Telegram alerts delivered — which tokens/endpoints are required and where are they stored? (4) Request a homepage or source repo and, if possible, the actual code for the 'content resonance scorer' and 'NLP classifier' so you can review data handling. If the author cannot provide concrete implementation details (API endpoints, required env vars, data retention policy), avoid installing or granting the skill network access; prefer skills that explicitly declare required credentials and show a trustworthy codebase or official integration.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758ygp79e33m47t4y3vr0jqd83rv97

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments