ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OPC Landing Page Manager

v1.0.0

Landing page strategy, copywriting, design, and code generation for solo entrepreneurs. From product idea to a complete, self-contained, conversion-optimized...

0· 141·0 current·0 all-time
byLeon Fan@leonfjr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with what is included: strategy references, copy frameworks, templates, and HTML generation. The files and SKILL.md consistently implement a landing-page workflow. One minor mismatch: README mentions cross-skill integration (opc-contract-manager, opc-invoice-manager) but there is no declared mechanism (no env vars or credentials) explaining how data would be accessed; this is plausible as an optional integration but should be confirmed.
Instruction Scope
SKILL.md confines runtime actions to reading bundled reference files and producing self-contained HTML, plus reviewing user-provided HTML or file paths. That scope is appropriate. However, Review/Build modes accept a file path or indicate the skill may write/read project files (landing-pages/INDEX.json, project directories). If a user supplies arbitrary filesystem paths (or the skill runs the bundled scripts), those operations could access local files beyond the skill bundle — inspect how file paths are handled in the scripts before granting broad access.
Install Mechanism
No install spec; this is primarily instruction-only and therefore lower-risk. README notes optional local cloning and that the project tracker requires Python 3.8+ and only the stdlib. That is proportionate. However, two Python scripts are included in the skill bundle; their contents were not provided for review in the package preview, so they should be inspected for unexpected network calls, subprocess execution, or writes to system paths before use.
!
Credentials
The skill declares no required environment variables or credentials — which matches the stated purpose. The only concern is the claimed 'cross-skill integration' (pulling client info from other opc-* skills): that implies the skill might read other skills' data or shared storage. There are no env vars or access details declared for that, so confirm how integrations are implemented and whether they require additional permissions or access tokens.
Persistence & Privilege
The skill is not always-included and is user-invocable (normal). It is expected to create and manage a local 'landing-pages/' project structure and INDEX.json per README; writing project files to disk is coherent with its purpose. Confirm exactly which directories the scripts write to and whether they modify any agent-wide or other-skill configurations (no evidence they do, but the scripts should be inspected).
What to consider before installing
This skill appears to do what it claims (strategy, copy, templates, and generation of self-contained HTML) and has no declared credentials or install steps — good. However: 1) Two Python scripts are bundled (page_audit.py and project_tracker.py) but their source was not shown in the preview; inspect those files before running to ensure they do not make network calls, execute arbitrary subprocesses, or exfiltrate data. 2) The skill will read and write local project files (landing-pages/ and INDEX.json) — review/confirm the exact paths and back up any important data before using. 3) The README mentions cross-skill integration; ask the author how that works (does it read other skills' local files, call an internal API, or require credentials?). 4) If you plan to give it file paths to review, avoid pointing it to sensitive system files; prefer pasting HTML or using copies. Recommended steps: inspect the two Python scripts for network/socket usage and subprocess calls (grep for requests, urllib, socket, subprocess, os.system, exec), run the skill in a sandboxed environment first, and verify what files it creates/overwrites. If you want higher assurance, request the full content of the scripts and an explanation of any cross-skill data access before installing. If you provide those scripts' contents, I can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

conversionvk970gbe2vh7w37ytkkt6ehhjh1831etglanding-pagevk970gbe2vh7w37ytkkt6ehhjh1831etglatestvk970gbe2vh7w37ytkkt6ehhjh1831etgmarketingvk970gbe2vh7w37ytkkt6ehhjh1831etgone-person-companyvk970gbe2vh7w37ytkkt6ehhjh1831etgsolopreneurvk970gbe2vh7w37ytkkt6ehhjh1831etg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments