ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

community-forum

v1.1.0

When the user wants to promote via forums, communities, or invite users to join a community. Also use when the user mentions "forum promotion," "Indie Hacker...

0· 97·0 current·0 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and the SKILL.md content consistently describe community/forum promotion, platform-specific tactics (HN, Indie Hackers, Reddit, Discord, vertical forums), and related outputs. There are no unrelated credential or binary requirements.
!
Instruction Scope
The runtime instructions explicitly tell the agent to 'Check for project context first' and to read .claude/project-context.md or .cursor/project-context.md if present. Those file reads are not listed in the skill's declared requirements/config paths. Reading workspace files is a legitimate way to get context, but the skill should declare that behavior so users know what will be accessed.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes supply-chain and disk-write risk.
Credentials
The skill requests no environment variables or credentials — appropriate for its purpose. However, it asks to read project-context files (undisclosed in requires.config paths), which could contain sensitive tokens or proprietary info depending on the user's workspace.
Persistence & Privilege
always is false and the skill is user-invocable. The skill can be invoked autonomously (platform default). That autonomous capability combined with the undisclosed file-read behavior increases the privacy blast radius: the agent might access workspace context without the user explicitly expecting it.
What to consider before installing
This skill appears to do what it says (forum/community promotion) and has no install or credential demands — good. Before installing, review the SKILL.md and confirm you're comfortable with the agent reading project-context files (.claude/project-context.md or .cursor/project-context.md) from your workspace. Those files can contain sensitive or proprietary information; if you keep secrets or credentials in your project files, remove them or prevent the agent from accessing those paths. Because the skill can be invoked autonomously, consider disabling autonomous invocation or only enabling the skill when you explicitly request forum-promotion actions. If you want stronger guarantees, ask the skill author to declare required config paths and/or to make file reads explicit in the manifest.

Like a lobster shell, security has layers — review code before you run it.

latestvk9773y02a0mq43be25fvdq462n833nyh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments