ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Account Analyzer

v1.0.0

Analyze social media accounts to track growth, engagement, audience demographics, and provide tailored improvement recommendations.

0· 42·1 current·1 all-time
by@eric060
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (social media account analysis) matches the listed capabilities, but the skill declares no code, no install, and no required credentials. The SKILL.md references a local script (skills/account-analyzer/analyze.py) and unspecified 'Platform scrapers' that are not present — this is inconsistent with the claimed functionality. A legitimate analyzer would either include code, point to a repo, or declare required platform credentials and installer steps.
!
Instruction Scope
The runtime instructions tell the agent to run a local Python script that is not included in the package. 'Platform scrapers' are listed as a dependency but not detailed; scraping social platforms can require network access, authentication, or cookies and may collect sensitive data. The SKILL.md gives the agent broad license to use scrapers without specifying which platforms, what data is collected, or what credentials are needed.
Install Mechanism
There is no install specification (instruction-only), which minimizes immediate disk/write risk. However, because dependencies include vague 'Platform scrapers' and a non-existent analyze.py, the absence of an install step is more likely a sign of an incomplete or placeholder skill than a safe, self-contained implementation.
!
Credentials
No environment variables or credentials are declared despite the likely need for platform tokens or session cookies for many social networks (especially closed platforms like xiaohongshu). Either the skill expects unauthenticated public scraping (not always possible) or it is omitting necessary secret requirements — both are problematic. Declared Python deps (requests, pandas, matplotlib) are reasonable, but 'Platform scrapers' is too vague to judge.
Persistence & Privilege
The skill does not request always: true and does not assert extra privileges. Autonomous invocation is allowed (platform default), which is normal. There is no evidence it would modify other skills or system-wide settings.
What to consider before installing
This skill is incomplete and inconsistent: it promises analysis but contains no code, no install steps, and no declared credentials. Before installing or enabling it, ask the publisher for: (1) the full source code or a canonical repo/release, (2) an install spec or requirements.txt, (3) explicit details about which platforms are supported and whether account credentials are required, and (4) a privacy/data-use statement describing what account data is collected, stored, or transmitted. Do not provide personal account tokens or passwords until you can review the code and confirm network endpoints. If you must test it, run it in a sandboxed environment and monitor outbound network traffic. Because the package origin is unknown and owner/homepage are missing, treat it as untrusted until you can validate its implementation and provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ft2sa98cq430q2nb3v938w984cfne

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments