ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Content Repurposer Pro

v1.0.0

Automatically convert long-form videos, blogs, and podcasts into platform-optimized social media scripts, threads, summaries, and transcripts.

0· 93·0 current·0 all-time
by@lvjunjie-byte·duplicate of @lvjunjie-byte/ai-content-repurposer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md, and the CLI commands align with a content-repurposing tool; required env var (OPENAI_API_KEY) is consistent with using OpenAI. However, the registry metadata at the top lists 'Source: unknown' and 'Homepage: none' while clawhub.json and package.json claim a GitHub repo and a homepage — this mismatch in provenance should be checked. Also the package includes extensive marketing/publishing docs (COMPLETION_REPORT.md, LAUNCH_CHECKLIST.md) which is unusual but not harmful.
Instruction Scope
Runtime instructions (SKILL.md) are scoped to converting user-provided transcripts, fetching blog pages by URL, and using the OpenAI API; CLI code reads only user-specified files or fetched URLs. There are no instructions to read unrelated system files or environment variables beyond the declared OPENAI_API_KEY/AI_MODEL optional setting.
!
Install Mechanism
The registry indicates 'No install spec — instruction-only', but the package actually contains executable code (bin/cli.js, src/converter.js) and a package.json with npm install instructions. That mismatch is an incoherence: either the skill should include an install spec or the registry listing should reflect that it contains executable code. Additionally package-lock.json indicates many dependencies and a cheerio package metadata that requires a newer Node engine (node >=20.18.1) while package.json lists node >=18.0.0 — this engine mismatch could cause install/runtime problems.
Credentials
The only required credential is OPENAI_API_KEY (with an optional AI_MODEL env var), which is proportionate for an AI-powered repurposing tool. No unrelated secrets, system config paths, or other credentials are requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. There is no evidence it attempts to modify other skills or system-wide agent settings. Normal autonomous invocation remains enabled (platform default).
Scan Findings in Context
[pre_scan_injection] expected: Scanner found no injection or obvious malicious regex matches. Absence of findings is not a guarantee of safety — full review of src/converter.js (truncated in the package listing) is still recommended.
What to consider before installing
This package mostly matches its stated purpose: it converts user-provided transcripts and fetched blog pages using OpenAI. Before installing, do these checks: 1) Verify provenance — confirm the GitHub repo and homepage links actually exist and match the published package (metadata inconsistencies were observed). 2) Inspect src/converter.js and any network code to ensure requests go only to expected endpoints (OpenAI and fetched blog URLs) and there are no hardcoded, unexpected external endpoints. 3) Check the package.json / package-lock engine and dependency mismatches (cheerio's engine vs package.json node requirement) to avoid runtime surprises. 4) Run the tool in a sandbox or with a dedicated OpenAI key (not a high-privilege/shared key) and consider restricting network access if you want to test for exfiltration. 5) If you aren't comfortable reviewing code, prefer to obtain this skill from a verified source/homepage or wait for a published ClawHub listing with a validated repository. Providing the full src/converter.js and test outputs would increase confidence and allow a re-evaluation.
src/converter.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bezywdwb2x175d6110rh8s5837sxk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments