Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sales Content Gen Agent
v1.0.0Generates tailored marketing images, videos, music, and ad copy using AI tools for social media, ads, and brand campaigns on demand.
⭐ 0· 47·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's purpose is to use external services (ComfyUI, Suno, RunPod) for image/video/music generation, which normally requires service endpoints and API keys or local installs. The published registry metadata says no required env vars or binaries, but the SKILL.md metadata asks for curl and an npm package ('clawhub'). This mismatch (no declared credentials while referencing external services) is incoherent: either the skill expects pre-provisioned credentials/environment or it will fail or attempt to use unspecified external endpoints.
Instruction Scope
The SKILL.md gives high-level runtime instructions and mentions which tools to use but does not specify how to connect to those tools (no API endpoints, no auth flows, no local paths). It does not instruct reading unrelated system files, but it leaves broad discretion to 'use ComfyUI or RunPod' without guidance — a gap that could lead to unexpected behaviors or assumptions about environment access.
Install Mechanism
Registry metadata earlier reported 'No install spec', but the SKILL.md includes metadata.install that requests installing a Node package 'clawhub' (no version/source) and declares a required bin 'curl'. Installing an unpinned npm package at install time can execute arbitrary code on the host. The origin and trustworthiness of 'clawhub' are unknown; no release host or version is specified. This is a moderate-to-high risk install pattern.
Credentials
The skill references third-party services that normally require API keys/credentials (RunPod, Suno, ComfyUI) but declares no required environment variables or primary credential. That absence is disproportionate to the stated capabilities and suggests either hidden assumptions (preconfigured credentials) or incomplete/incorrect metadata.
Persistence & Privilege
The skill does not request always-on presence, does not declare system-level config paths, and does not request other skills' credentials. Default autonomous invocation is allowed (platform default) but is not combined with elevated privileges here.
What to consider before installing
Do not install this skill until the author clarifies a few things: (1) where and how it will access ComfyUI, Suno, and RunPod (API endpoints, required API keys, or local services); (2) why the SKILL.md asks for curl and an npm package while the registry shows no install requirements; (3) the exact source and pinned version of the 'clawhub' package (inspect its code before installing); and (4) whether any credentials must be provided and how they are stored. If you proceed, run installation in a sandboxed environment, require explicit, minimal-scoped credentials, and prefer a versioned, audited install source rather than an unpinned npm package. If the author cannot provide these details, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97degxqfeafr0bmm8hkjs78b584cwk2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.