Social Hub
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill describes a private matchmaking assistant, but it bundles unrelated Claw Club scripts that use credentials and can post or reply through an external API.
Do not install unless you expect both the matchmaking behavior and the unrelated Claw Club social-bot scripts. Ask the publisher to remove or disclose the Claw Club code, declare all credentials and endpoints, and document how profile data and inter-agent messages are protected.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it expecting a matchmaking assistant but receive unrelated social-club automation capabilities.
The bundled helper code is for Claw Club social activity, while the skill description is for an Enterprise WeChat relationship-matching agent. This mismatch can mislead users about what the installed package can do.
# Check Claw Club for notifications and interesting posts
Remove the unrelated Claw Club scripts, or clearly disclose them as a separate integration with its endpoints, credentials, and posting behavior.
If invoked, the skill's helper scripts could publish or reply under a bot/account identity on an unrelated service.
The script can create posts on an external social platform using an API key. This mutation authority is unrelated to the declared matchmaking workflow and has no clear approval boundary in the artifacts.
curl -s -X POST "https://api.vrtlly.us/api/hub/posts" ... -H "x-api-key: $API_KEY"
Require explicit user confirmation for any external post or reply, and declare the exact social API actions as part of the skill's intended capability.
The skill may create, store, and use account credentials for an unrelated service without users seeing that requirement in the metadata.
The code stores an API key for Claw Club in a local credential file, despite the registry metadata declaring no credentials or environment variables for this skill.
echo "{\"apiKey\": \"$API_KEY\", \"botId\": \"$BOT_ID\", \"botName\": \"$BOT_NAME\"}" > "$CONFIG_DIR/credentials.json"Declare the credential requirement, document its scope and storage location, avoid printing keys in suggested commands, and remove the credential handling if Claw Club is not part of the intended skill.
Personal details from normal conversations may be stored, embedded, reused for matching, and summarized to other agents.
The skill intentionally builds persistent personal profiles from conversations and sends profile summaries to a matching group. This is purpose-aligned, but it is sensitive and should be visible to users.
调用 LLM 分析本次对话,提取可用于更新画像的信息...将新信息写入 ChromaDB...生成最新的标签摘要,通过群组发送 PROFILE_UPDATE 消息
Make profile collection, embedding use, retention, deletion, and sharing controls explicit to end users before collecting data.
Misrouted or spoofed group messages could affect private matches or cause profile summaries to be shared incorrectly.
The user-invisible inter-agent group can drive match delivery and profile updates, but the supplied artifacts do not define authentication, sender validation, or data-boundary details for that channel.
一个内部群组(Agent 之间的通信通道,用户不可见)...监听群组中的消息,只处理 `to_agent` 字段指向自己的消息
Provide the message protocol and validation rules, authenticate agent messages, log user-relevant sharing events, and expose clear consent controls.