ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

employee-generated-content

v1.0.0

When the user wants to plan, implement, or optimize employee-generated content (EGC) or employee advocacy. Also use when the user mentions "EGC," "employee a...

0· 101·0 current·0 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and instructions align: the skill is a guidance/strategy helper for employee-generated content and requires no credentials, binaries, or installs. Its recommendations and related-skill links are consistent with that purpose.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to check for and read local files (.claude/project-context.md or .cursor/project-context.md) for project context. The skill's declared requirements list no config paths. Reading local project-context files for context is reasonable for a strategy skill, but the instruction references file access that wasn't declared in the metadata — this mismatch should be clarified. No other instructions ask for secret values or network exfiltration.
Install Mechanism
No install specification and no code files are present. Being instruction-only minimizes installation risk because nothing is written to disk and no external packages are fetched.
Credentials
The skill declares no required environment variables, credentials, or config paths. That matches the advisory nature of the skill. The only potential concern is the undelcared local file read noted above.
Persistence & Privilege
always is false and there is no indication the skill requests persistent or elevated privileges. Autonomous invocation is enabled by default but not combined with other red flags.
What to consider before installing
This skill is primarily a written guide and appears to do what it says, but note it tells the agent to read .claude/project-context.md or .cursor/project-context.md for context even though no config paths are declared. Before installing: (1) confirm you do not store secrets or sensitive data in those project-context files, (2) inspect any project-context files the agent could access, and (3) verify the source of the skill (no homepage or author info is provided). If you need stronger guarantees, ask the publisher to explicitly declare the config paths the skill may read or to remove that step.

Like a lobster shell, security has layers — review code before you run it.

latestvk97225r3xddjgykmgwd4m394w5833za7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments