ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Personal Brand Builder

v1.0.0

Transforms any OpenClaw agent into a personal brand authority engine. Defines the principal's unique positioning, manages presence across Twitter/X, LinkedIn...

0· 129·1 current·1 all-time
byWesley Armando@georges91560
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: a CLI that manages brand identity, content queues, and posts/notifications across platforms. Requiring Telegram and Twitter credentials is coherent with auto-posting and notifications. However, registry-level metadata at the top of the submission lists no required env vars or paths while SKILL.md and README do list several credentials and workspace paths — this mismatch is unexpected and could cause surprise behavior.
!
Instruction Scope
SKILL.md instructs the agent to read/write many /workspace/brand and /workspace/.learnings files and to make network requests (Telegram, Twitter, LinkedIn). The code demonstrates Telegram notifications and local file writes (AUDIT, LEARNINGS, proof vault). There are no signs of broad system access, but SKILL.md and README show commands pointing at /workspace/brand/scripts/brand_manager.py while the provided file is brand_manager.py at the repository root; this path mismatch suggests packaging/sloppiness that could cause the agent to run a different file or fail. Network targets are limited to social APIs but will transmit content and may auto-post if API keys are supplied.
Install Mechanism
Instruction-only with a bundled Python script; there is no automatic installer or external download. Risk from install mechanism is low because nothing is fetched from arbitrary URLs during install; code runs only if executed by the agent or user.
Credentials
Requested environment variables (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, TWITTER_* keys) are proportionate to the stated auto-posting and notification features. However, the registry summary initially claimed 'Required env vars: none' while SKILL.md and README list multiple credential variables (and README says Twitter credentials are optional). That inconsistency should be clarified. These credentials are sensitive — providing them grants the skill ability to post and send messages on your behalf.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or system-wide settings. It writes only to workspace-scoped paths and creates audit/learning files; this is expected for a workspace-focused CLI. The agent can invoke the skill autonomously (default), which combined with supplied posting credentials would enable automatic posting — consider that when supplying keys.
What to consider before installing
This skill mostly does what it claims, but there are several red flags to check before installing or providing credentials: 1) Clarify required credentials and optionality — the top-level registry says 'none' while SKILL.md/README request Telegram and Twitter keys. 2) Confirm where the script actually lives and is executed (SKILL.md/README reference /workspace/brand/scripts/brand_manager.py but the shipped file is brand_manager.py at root). Packaging mismatches can cause accidental execution of different code or runtime errors. 3) If you decide to enable auto-posting, provide least-privilege/test accounts first (not your primary Twitter/X account) and test in manual mode; rotate keys if you later revoke access. 4) Review the code yourself (or have someone you trust) — the script will write audit and learning files and will send network requests to Telegram/Twitter/LinkedIn endpoints. 5) Run it in an isolated workspace or sandbox initially to observe behavior. If you need help clarifying any of the inconsistencies above or want recommended test steps, ask for them.

Like a lobster shell, security has layers — review code before you run it.

#personalbrand #branding #twitter #linkedin #instagram #youtube #tiktok #content #authority #automation #entrepreneurship #trading #ai #socialmedia #growthvk972s3y0yyd9g962f9t1c7t7gx833s65latestvk972s3y0yyd9g962f9t1c7t7gx833s65

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏆 Clawdis

Comments