Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
LinkedIn Carousel Factory
v1.0.0Generate a complete 10-slide LinkedIn carousel JSON with hook-driven, concise content and .NET 8+ code examples for mid-to-senior .NET developers on a chosen...
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and slide/code requirements all align: producing a 10-slide LinkedIn carousel with .NET 8+ code examples for mid/senior .NET devs. No extraneous libraries or binaries are requested, and generation-only behavior is appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs the agent to write the generated JSON to a specific user path (~/Documents/Obsidian/ClawBrain/skills/draft/...) and to post a message to a Discord channel (#✅-tasks). These are explicit filesystem and external-network actions outside pure text-generation. The instructions also tell the agent to update a memory file (memory/what_works.md). The skill gives no details about how to authenticate or which service/integration will perform the Discord post, making the network/posting step ambiguous and potentially risky.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or written by an installer. This is low-risk from an install-supply-chain perspective.
Credentials
Declared requirements list no environment variables or credentials, yet the runtime instructions expect posting to Discord and writing to persistent memory. Posting to Discord or sending to collaborators would normally require a webhook, token, or an integration; the lack of declared creds is a mismatch. The skill also directs writes into the user's Documents/Obsidian vault and a memory file, which are reasonable for a content pipeline but should be explicit and consented to.
Persistence & Privilege
The skill requests writing generated drafts to a user Documents path and appending/recording data into memory/what_works.md (self-improvement notes). It does not set always: true nor request system-wide privileges. Writing to the user's vault and memory is persistent behaviour the user should be aware of, but it is not inherently privileged or covert.
What to consider before installing
This skill appears to do what it says (generate LinkedIn carousel JSON with .NET code), but review the following before enabling it: (1) It will write files into your ~/Documents/Obsidian/ClawBrain/... and update memory/what_works.md — confirm you want automatic writes to those locations and back up sensitive data. (2) It tells the agent to post to a Discord channel, but the skill declares no webhooks or tokens — determine which integration will perform that post and whether the agent has permission; if you don’t want network posting, remove or edit that step. (3) Because the skill generates code, inspect snippets for accidental disclosure or unsafe patterns before publishing. (4) If you want clearer authority boundaries, request the skill declare required webhooks/credentials or change the instructions to output only and require manual posting/review. If you want this cleared as benign, provide details about the Discord integration and confirm where the memory file is stored and who can read it.Like a lobster shell, security has layers — review code before you run it.
latestvk9760fs1c2vjzt0nhat3qnsfgs83cxnw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.