Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
User Interview
v1.0.2Run real user interviews via Usercall. Use when you need qualitative feedback from real users — onboarding drop-off, feature confusion, pricing clarity, prot...
⭐ 0· 132·0 current·0 all-time
by@junetic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly targets Usercall and only needs a Usercall API key to create studies and fetch results, which is coherent with the stated purpose. However, the registry metadata listed under this bundle claims no required env vars while the instructions require USERCALL_API_KEY — an inconsistency between what the skill 'claims' and what it 'needs'.
Instruction Scope
Runtime instructions limit network calls to app.usercall.co and provide specific curl examples (expected). However, the instructions instruct the agent to run `echo "$USERCALL_API_KEY"` which will print the secret to the terminal/logs and can leak it in transcripts or logs. The SKILL.md also uses $ARGUMENTS (platform-provided) and tells the agent to accept media URLs — these are reasonable, but the explicit echo of the API key is an unnecessary and risky step.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. All network calls are to the documented app.usercall.co API.
Credentials
Requesting a single USERCALL_API_KEY is proportionate to the described functionality. But the manifest metadata omission (it didn't declare the required env var) and the instruction to echo the key increases the chance of accidental credential exposure. Consider whether a scoped/revocable key can be used and whether the skill could avoid printing the secret.
Persistence & Privilege
The skill does not request permanent/always-on presence and uses normal, user-invocable defaults. It does not modify other skills or request elevated platform privileges.
What to consider before installing
This skill appears to do what it says (create and manage Usercall studies) but be cautious before installing or running it:
- The SKILL.md requires USERCALL_API_KEY, yet the package metadata does not declare that — treat this as a packaging inconsistency and verify before trusting the skill.
- The instructions explicitly echo your API key (echo "$USERCALL_API_KEY"). That prints your secret into the terminal/agent logs and can leak it. Do not run steps that print secrets; instead set the env var without echoing it.
- Only provide a Usercall key you control; prefer a limited-scope or revocable key and rotate it after testing. Avoid pasting the key into chat messages.
- Confirm that network calls go to https://app.usercall.co (as shown) and that you trust that service.
- Consider asking the skill author (or the registry owner) to update the package metadata to declare USERCALL_API_KEY and to remove the echo step so secrets are never printed.
If you understand and accept these risks (and use a scoped/revocable key), the skill's functionality is otherwise aligned with its description.Like a lobster shell, security has layers — review code before you run it.
latestvk974pqpbggm4y0hjpvx0nnrby58336f2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.