ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Page Cro

v1.0.0

When the user wants to optimize, improve, or increase conversions on any marketing page — including homepage, landing pages, pricing pages, feature pages, or...

0· 105·0 current·0 all-time
byMario Karras@mariokarras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md instructions align: this is a page CRO audit assistant. The included references/experiments.md and evals.json match the stated purpose. No unrelated binaries, installs, or credentials are requested.
!
Instruction Scope
SKILL.md explicitly instructs the agent to read .agents/product-marketing-context.md or .claude/product-marketing-context.md if present. The skill package's declared requirements list no required config paths, so there's an inconsistency: the runtime instructions access local project files that were not declared. Reading those files could surface potentially sensitive project context or secrets if such files exist.
Install Mechanism
No install spec and no code files — this is instruction-only. That reduces filesystem/write risk because nothing is downloaded or executed by an installer.
Credentials
The skill requests no environment variables, no credentials, and no config paths in metadata. That is proportionate to its purpose. The sole caveat is the undeclared file reads noted above.
Persistence & Privilege
Flags show always:false and no special privileges. The skill is user-invocable and can be invoked autonomously (platform default) but it does not request permanent presence or modify other skills.
What to consider before installing
This skill appears to do what it says (CRO analysis) and has no installer or credential requests, which is low risk. However, its instructions tell the agent to read a local product-marketing-context file if present — the registry metadata did not declare that file as a required config path. Before installing or invoking the skill, review any .agents/product-marketing-context.md or .claude/product-marketing-context.md files in your workspace for sensitive information (API keys, credentials, or private customer data). If you don't want the agent to read those files, remove or redact them, or ask the skill author to declare required config paths explicitly. If you allow autonomous invocation, be aware that the agent could automatically read those context files when performing CRO tasks; that is normal platform behavior but increases the blast radius if the file contains secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6525jr7aepghr5pgtahg1n835fmg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments