Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Founder Article
v1.0.0Generate professional business articles with magazine-quality layout. Specialized for founders, investors, and business analysts to create compelling content...
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The repository contains templates, a packaging script, and a headless‑Chrome PDF helper that match the stated purpose (generate HTML + PDF article output). However the SKILL.md/README claim features (one‑click GitHub repo creation / Pages enabling) that are not implemented in the included scripts and the skill doesn't request any GitHub credentials to perform that action.
Instruction Scope
Runtime instructions describe creating GitHub repositories, enabling GitHub Pages, and returning shareable URLs. There are no included scripts to call the GitHub API, no guidance on how credentials would be supplied, and requires.env lists no tokens — so the instructions overstate capabilities or omit needed steps. Aside from fonts (loaded from Google Fonts) and local Chrome usage, the instructions do not attempt to read local secrets or unexpected system paths.
Install Mechanism
No install spec — instruction-only with a couple simple local scripts. The html-to-pdf.sh uses a local Chrome/Chromium binary (expected for PDF generation); package.py only zips files. No remote downloads or extract/install from arbitrary URLs are present in the code bundle.
Credentials
The skill declares no required environment variables or credentials, yet documents and SKILL.md claim automated GitHub repo creation and Pages publishing — actions that would require a GitHub token or OAuth. This is a proportionality mismatch (capability requires credentials but none are requested). The templates also reference Google Fonts (external URLs) which is expected for rendering but is a network dependency.
Persistence & Privilege
always is false and the skill does not request system-wide privileges or modification of other skills. The included scripts operate on local files and produce outputs; nothing requests permanent presence or elevated privilege.
What to consider before installing
This skill largely does what it says for local HTML/PDF generation: templates + a headless‑Chrome script and packaging helper are included and appear benign. The key mismatch is the advertised “one‑click GitHub Pages” publishing: the bundle does not include any GitHub API client or instructions for supplying a GitHub token, so be cautious — the skill would need credentials to actually create a repo and enable Pages. Before installing or granting any tokens: (1) confirm how publishing is implemented (search for GitHub API calls or OAuth flows), (2) avoid giving a broad GitHub token unless you trust the source and have reviewed any code that would use it, (3) run the html-to-pdf.sh locally in a sandbox to verify behavior and ensure Chrome is used only for file:// rendering, (4) note remote assets (Google Fonts) are loaded from fonts.googleapis.com, and (5) prefer installing from a known repository or fork you can audit; if the publisher is unknown, treat the publishing claims as marketing rather than guaranteed automated functionality.Like a lobster shell, security has layers — review code before you run it.
latestvk979jr30xg4qrcst8s697mab3983w22s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.