ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blog Title Optimizer

v1.0.7

AI-powered blog title optimizer. Generate SEO-friendly, click-worthy headlines that drive traffic.

0· 416·3 current·3 all-time
by@icepopma
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (headline/SEO generator) matches the code's behavior (calls a local 'openclaw' agent to produce titles and charges via a payment API). However the registry metadata declares no required binaries while index.js spawns the 'openclaw' CLI (so the 'openclaw' binary is in fact required). SKILL.md also references an OpenClaw Gateway and Sloan agent, which aligns with the code, but the metadata omission is incoherent and could mislead users about prerequisites.
Instruction Scope
SKILL.md is largely usage documentation (CLI examples) and aligns with the code. It mentions optional env vars (SKILLPAY_MERCHANT_KEY, OPENCLAW_GATEWAY_TOKEN). The code uses SKILLPAY_MERCHANT_KEY (or a default embedded key) but does not use OPENCLAW_GATEWAY_TOKEN, so that env var is documented but unused. Instructions assume a local OpenClaw agent/CLI will be executed — this requires running a local binary which the skill will invoke.
Install Mechanism
There is no install spec (instruction-only in metadata) but the package includes index.js and a package.json with axios dependency. package-lock.json shows dependencies resolved via a non-default mirror (mirrors.tencentyun.com), which is nonstandard and increases supply-chain visibility risk. No remote arbitrary downloads or extract operations are present in the package.
!
Credentials
The code contains a hardcoded merchant key (SKILLPAY merchant_key) embedded in CONFIG and will POST it to a payment API by default. That is functional for pay-per-use but is a secret baked into the package and could send payments/transaction records to the hardcoded recipient without the user supplying their own key. Documented OPENCLAW_GATEWAY_TOKEN is not used in code. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent or privileged installation (always:false), does not modify other skills or system config, and does not store its own auth beyond using the merchant key for each payment call. It does invoke a local binary, which is expected for an OpenClaw skill.
What to consider before installing
This skill appears to do what it claims, but there are a few things to check before installing or running it: - Verify the 'openclaw' binary you will execute is legitimate and from a trusted source; the skill runs this CLI locally. - The package contains a hardcoded SKILLPAY merchant key. If you care where payments go, replace SKILLPAY_MERCHANT_KEY with your own merchant key or use the --test flag to avoid charges during evaluation. Embedded merchant keys mean the author (or whoever controls that key) will receive payments by default. - The registry metadata omits the required 'openclaw' binary; expect to need OpenClaw/Sloan locally even though the metadata lists none. - package-lock.json shows dependencies fetched from mirrors.tencentyun.com (a non-default registry mirror). If you will install dependencies, consider auditing or re-resolving from a registry you trust (npmjs.org) to reduce supply-chain risk. - The index.js file appears to have sloppy code (a malformed spawn/Promise fragment), which suggests limited maintenance quality; consider reviewing the code or running it in a sandbox first. If you want to proceed: run in test mode first (--test), audit/replace the merchant key, ensure openclaw CLI is genuine, and preferably run inside an isolated environment until you are comfortable.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x0qtgr49q4j34dg5ydk3xx82avsg
416downloads
0stars
10versions
Updated 11h ago
v1.0.7
MIT-0
@icepopma
latest
Download

Blog Title Optimizer

Generate SEO-friendly, click-worthy blog titles that rank and drive traffic.

Features

  • SEO Optimization - Keywords and search intent
  • Click-Worthy - Psychological triggers that work
  • Multiple Options - Get 7 title variations
  • Length Optimization - Perfect for Google & social

Usage

# Generate blog titles
blog-title-optimizer "how to build AI agents"

# With specific keywords
blog-title-optimizer "AI agents tutorial" --keywords "beginners,2026"

Options

OptionDescriptionDefault
--keywordsTarget keywords (comma-separated)-

Pricing

  • Pay per use: 0.001 USDT per generation

Environment Variables

VariableDescriptionRequired
SKILLPAY_MERCHANT_KEYPayment merchant key (optional, embedded key used by default)No
OPENCLAW_GATEWAY_TOKENGateway auth token for local API fallbackNo

Requirements

  • OpenClaw with Sloan agent (AI columnist)
  • OpenClaw Gateway running locally (for API fallback)

About Sloan

Sloan is your AI columnist - a professional content strategist specializing in SEO and headline optimization.

Support

License

MIT © Matt

Comments

Loading comments...