ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content Asset Orchestrator

v1.0.0

Plan, organize, and audit ecommerce content assets across short video (TikTok/Douyin), Xiaohongshu posts, Amazon A+ content, Shopify PDP images, email banner...

0· 36·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the visible handler.py logic align: the code tokenizes input, detects channels/goals/formats, and renders a markdown brief. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md explicitly states it does not connect to live social/DAM/analytics systems and limits outputs to a markdown brief. The visible code implements only local heuristics and rendering; the instructions do not request unrelated files or environment data.
Install Mechanism
There is no install specification (instruction-only style). The only artifacts are source files included with the skill — no external downloads, package installs, or extracts are declared.
Credentials
The skill declares no required environment variables or credentials and the visible code does not access environment variables or config paths. This is proportionate for a planning/orchestration skill.
Persistence & Privilege
No elevated persistence requested: always is false, user-invocable is true, and disable-model-invocation is false (normal). The skill does not request to modify other skills or system-wide settings in the visible materials.
What to consider before installing
What to check before installing: - Inspect the full handler.py (the provided snippet was truncated). Search the file for network calls (requests, urllib, socket, http, urllib3), subprocess/exec usage, and any os.environ access or file system writes that aren't necessary for local rendering. - Run the included tests locally (tests/test_handler.py) in a sandboxed environment to confirm behavior. - Note the skill has no declared homepage or known owner; consider this when deciding trust and avoid supplying sensitive credentials or proprietary asset inventories until you verify the code. - If you plan to let the agent invoke the skill autonomously, ensure it runs with least privilege and in a non-production test workspace first. If you provide product or customer data to the skill, avoid including PII until you confirm there is no exfiltration logic in the unseen portion of the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amkbmzr1rjx4fpck7jekmx184rs07

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments