ClawHub

Clawmart Skills Empire

v1.0.0

Create, package, and sell AI skills with 5 premium templates, sales automation, pricing tiers, and launch tools to build a $10K/month business on ClawMart.

0· 338·0 current·0 all-time
by@mbugus94-lang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim to provide 5 premium templates and a sales/launch suite — the repository contains documentation, templates, pricing, and a demo script that align with that claim. However the package repeatedly claims 'full source code' and demo scripts for each skill, yet no implementation modules are present (e.g., content_engine, data_analyzer, lead_gen, trading_signals modules are referenced in templates but not included). Also marketing items (Gumroad listing, pricing) and a demo_url are present despite there being no installer or packaged binaries. These gaps suggest the package is incomplete or misrepresented.
Instruction Scope
SKILL.md instructs only simple actions (copy folder, edit config.json, run demo.py). It does not instruct reading unrelated system files. However there are problematic/inconsistent instructions: it tells users to run 'pip install -r requirements.txt' but no requirements.txt exists; templates instruct installing packages (e.g., MetaTrader5) and to configure API keys but do not specify which environment variables or where to store credentials. The included config.json contains an external demo_url (https://clawskills-kldtlvqh.manus.space/) but none of the code references or uses it; this could be harmless marketing but is an unexplained external endpoint.
Install Mechanism
This is an instruction-only skill with no install spec and no download/install steps. That reduces supply-chain risk: nothing will be written to disk by an automated installer. The only file that executes is demo.py, which only prints text and does not perform network or filesystem operations.
Credentials
The repository requests no environment variables or credentials in metadata, which is coherent for a template/demo package. However the documentation and templates repeatedly reference API keys, CRM connectors, email verifiers, and trading (MT5) accounts — all of which require sensitive credentials when implemented. Because the package lacks the actual implementation modules, there's no declared or enforced env var usage; that mismatch (docs asking for API keys but code not present) is a red flag from a transparency standpoint. Users should not provide real credentials until the implementations are inspected.
Persistence & Privilege
The skill does not request persistent installation privileges, always:false, and does not modify other skills or system-wide settings. No autorun or persistent services are declared.
What to consider before installing
What to consider before installing or using this skill: - Incomplete/misleading package: The marketing text and README claim 'full source' and multiple demo scripts, but only demo.py (a printout) and documentation templates are included — the actual implementation modules referenced in the templates are missing. Ask the author for the real source code for each template before trusting or buying. - Missing files referenced in docs: SKILL.md/README refer to requirements.txt and pricing.json that are not present. That suggests the package is incomplete or packaged for sale without the working code. - External demo_url: config.json points to an external domain (manus.space). The repository does not use it, but verify that URL independently (it could be a harmless marketing page) and avoid sending any data there until you confirm its purpose. - Sensitive functionality in templates: Several templates describe web scraping, email verification, CRM connectors, and trading automation. When those are implemented, they will require third-party credentials and can be used to collect PII or connect to real accounts. Do not provide API keys, CRM credentials, or trading account details without reviewing the implementation and ensuring it runs in a safe/sandboxed environment. - Safe handling recommendations: - Do not run unknown code on production systems. Run in an isolated VM or container first. - Inspect any implementation code (network calls, HTTP endpoints, telemetry) before adding credentials. - If you purchase or deploy, request a signed/verified copy of the full source and a list of exact dependencies and where any external endpoints are called. - If you only need templates, treat these as documentation samples rather than deployable software until implementations are supplied. If you want, I can: - Search the repository for network calls or hidden endpoints (none found in the provided files) and highlight lines to inspect. - Generate a short checklist to vet the missing modules when the author provides them. Confidence: medium — code present is small and benign, but the package appears incomplete/misrepresented and contains templates for potentially privacy-sensitive features; additional files from the author would materially change the assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b757h5aqrfpn6mcwfpvc7k581vm6g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments