ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Market Intelligence Agent

v1.0.0

Find business opportunities others miss. Mines Reddit, HackerNews, ProductHunt for pain points, validates ideas, and surfaces emerging trends.

0· 57·0 current·0 all-time
by@gunybuny
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (market intelligence from Reddit, HackerNews, ProductHunt) matches the skill's name. However, the skill provides no provenance (source unknown, no homepage) and does not declare how it will access those sites (no APIs, rate-limit handling, or credentials described). It also references a local file (references/prompts.md) that is not present in the package, which suggests incomplete or inconsistent packaging.
!
Instruction Scope
SKILL.md gives only high-level directives ('search platforms for complaints', 'daily briefing') and grants the agent open-ended discretion to gather context. This vagueness can lead the agent to perform broad web scraping, store or transmit large amounts of extracted data, or access endpoints not intended by the user. The missing referenced prompts.md means important runtime guidance is absent.
Install Mechanism
No install spec and no code files are present, which minimizes on-disk risk. Instruction-only skills have lower installation risk because nothing is written or executed by an installer.
Credentials
No environment variables or credentials are requested, which is reasonable for a high-level instruction-only skill. That said, to properly and reliably access Reddit/ProductHunt APIs a real implementation would likely need API keys or tokens; the absence of declared credentials could indicate the skill expects unauthenticated scraping (which has legal/terms-of-service and rate-limit implications) or is incomplete.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Autonomous invocation is allowed (platform default) — combined with the instruction vagueness this could let the agent perform network activity when invoked, but the skill does not itself request persistent system presence.
What to consider before installing
This skill is plausible but incomplete. Before installing, ask the publisher: (1) Where is references/prompts.md and what runtime prompts or safeguards does it contain? (2) Will the skill use official APIs (and if so, what credentials are required) or will it scrape public pages? (3) What data will be collected, stored, or transmitted, and how long is it retained? (4) Are there rate-limit, legal, or privacy considerations for scraping these sites? If you can't get clear answers (and a source/homepage), treat the skill as risky: prefer skills that declare APIs/credentials explicitly, include runtime prompts/safeguards, and come from an identifiable publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk978xg16ffa99ma45p4m44fje584ents

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments