Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Content Repurposer
v1.0.1Convert long-form content like videos, blogs, and podcasts into optimized short scripts, threads, posts, transcripts, and summaries for multiple platforms.
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, docs, and CLI commands match the stated purpose (YouTube/blog/podcast → short scripts, threads, summaries). Dependencies (axios, cheerio, commander) and described behavior (fetching blog pages, reading transcripts, calling an AI model) are consistent with a repurposing tool. However, the top-level registry summary in the evaluation header claimed no required env vars and 'instruction-only', while the SKILL.md, clawhub.json, README and package.json indicate an OpenAI API key is required and the repo contains packaged code — this metadata mismatch is a proportionality/consistency issue.
Instruction Scope
Runtime instructions (SKILL.md and CLI) limit actions to reading input files or URLs, scraping blog content when given a URL, calling an AI model for transforms, and writing output files. There are no instructions to read unrelated system files, credentials, or to transmit data to unexpected external endpoints in the docs. The documented network activity (fetching blog HTML, calling OpenAI) is coherent with the stated functionality.
Install Mechanism
There is no separate install spec in the skill bundle, but package.json and README instruct users to install via npm or ClawHub. Dependencies are standard npm packages from the public registry. No high-risk ad-hoc downloads or obfuscated installers were found, but the documentation claiming 'instruction-only' while code files exist is an inconsistency worth confirming.
Credentials
SKILL.md and multiple files require OPENAI_API_KEY (and optionally AI_MODEL), which is appropriate for an AI-powered converter. But the summary at the top of the provided registry metadata listed 'Required env vars: none' and 'Primary credential: none' — a clear mismatch. Before installing, assume the skill will use your OpenAI key and audit how it's used (e.g., direct OpenAI API calls, client library usage, any logging or forwarding).
Persistence & Privilege
The skill does not request always:true and contains no indication it will modify other skills or agent-wide settings. It is a CLI packaged tool and the manifest does not ask for permanent elevated privileges.
What to consider before installing
This package mostly looks like a legitimate CLI content-repurposer that needs your OpenAI API key. However, the manifest/metadata show inconsistencies (claims no env vars and 'instruction-only' while the repo contains Node code and multiple docs requiring OPENAI_API_KEY). Before installing or supplying secrets: 1) Inspect src/converter.js to confirm OpenAI calls go only to official OpenAI endpoints and there are no hardcoded or hidden external URLs; 2) Verify the package source (npm package and/or GitHub repo) matches the publisher and has a trustworthy history; 3) Run the tool in a sandbox or with a restricted API key (rate-limited / scoped) first; 4) Check package.json and dependencies for supply-chain risk and run 'npm audit'; 5) If you must provide OPENAI_API_KEY, prefer an API key with limited usage/quota and rotate it after verification. These steps will reduce risk arising from the metadata/code inconsistencies noted above.src/converter.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971v1kkpgm0ht49cvy2es3agx839d9p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.