ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

popup-generator

v1.0.1

When the user wants to add, optimize, or audit popups or modals for lead capture or offers. Also use when the user mentions "popup," "modal," "lightbox," "ov...

0· 124·1 current·1 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the actual instructions: this is an instruction-only CRO popup/modal guidance skill. It does not request binaries, credentials, or installs, which is proportionate to the stated purpose. The only capability beyond pure advice is reading local project-context files for additional context, which aligns with providing tailored recommendations.
!
Instruction Scope
SKILL.md explicitly instructs the agent to check for and read .claude/project-context.md and .cursor/project-context.md for offers and audience. Reading local project-context files can be reasonable, but these specific paths were not declared in the skill metadata (required config paths is empty). The instruction grants the agent permission to access workspace files that may contain sensitive or unrelated information — the skill should have declared that dependency or made the file access explicit in metadata.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is written to disk or fetched during install. This is low-risk and consistent with its purpose.
Credentials
The skill requests no environment variables, credentials, or config paths in metadata. That is proportionate for a design/advice skill. The only exception is the implicit file reads in SKILL.md (see instruction_scope).
Persistence & Privilege
always:false and normal agent invocation settings. The skill does not request persistent presence or elevated privileges and does not instruct changing system or other-skill configurations.
What to consider before installing
This appears to be a harmless, instruction-only popup design helper, but note that the skill's runtime instructions tell the agent to read local project-context files (.claude/project-context.md or .cursor/project-context.md) even though the skill metadata doesn't declare those as required config paths. Before installing or invoking: (1) inspect any .claude/ or .cursor/ project-context files in your workspace for sensitive info (API keys, PII) and remove or redact them if present; (2) prefer the skill only if you are comfortable with the agent reading those files for context; (3) if you need stronger guarantees, ask the skill author to declare the config paths explicitly or to provide a version that asks for permission before reading workspace files.

Like a lobster shell, security has layers — review code before you run it.

latestvk979q79vd5p4csp2rwhv9wakfs83v2rh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments