Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Social Proof Collector
v1.0.0Automatically gather, filter, and format high-quality customer reviews from multiple platforms with alerts and response drafts for new feedback.
⭐ 0· 174·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name and description (collect/reformat reviews) align with the SKILL.md. However, the SKILL.md requires scraping platforms that commonly need API access or authorization (Google Business Profile, Facebook, Yelp, etc.) and explicitly names the 'Brave Search API' as required — yet the skill metadata declares no required environment variables, credentials, or config paths. This mismatch (declared zero credentials vs. instructions that need API access or auth) is incoherent.
Instruction Scope
Runtime instructions explicitly direct collecting reviewer names, star ratings, text, and dates across many sites and 'monitoring' for new reviews. They give no guidance on using official APIs vs. scraping, do not mention respecting robots.txt or rate limits, and do not specify where alerts are sent or how credentials are obtained. The instructions are open-ended and could lead to broad web access and collection of personal data without safeguards.
Install Mechanism
No install spec and no code files are present; this lowers installation risk because nothing new will be written to disk by an installer. The security surface is the SKILL.md itself.
Credentials
The SKILL.md lists a required 'Brave Search API' and suggests optional notification channels and web search capability, but the skill metadata requests no environment variables or primary credential. Also, platforms listed typically require API keys or OAuth tokens; the skill does not declare or justify any such credentials, nor does it explain how credentials would be provided, stored, or rotated. Collecting reviewer names and other identifiers is also sensitive and should be justified and scoped.
Persistence & Privilege
always is false and there are no config paths or install actions that persist or modify other skill/system settings. The skill does not request elevated or permanent platform privileges in its metadata.
What to consider before installing
This skill's goal (gathering and formatting reviews) is plausible, but the instructions expect access to many review platforms and to the 'Brave Search API' while the package declares no credentials or endpoints. Before installing or using it, ask the author: (1) how will the skill obtain legitimate API access (Brave, Google Business, Yelp, Facebook)? Request explicit env var names and OAuth flows; do not provide credentials until you verify them. (2) Confirm whether it uses official APIs (recommended) or scrapes HTML — scraping can violate site Terms of Service and expose you to IP blocking or legal risk. (3) Where will alerts and scraped data be sent/stored? Ensure destinations are trustworthy and that PII (reviewer names, identifiers) is handled per privacy rules. (4) Ask for rate-limit and robots.txt behavior and for safeguards against collecting more data than needed. If the author cannot clarify these points, treat this skill as risky and avoid giving it access to real credentials or sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk97bz6p00dze3x5nfmz6ndp0d582v3e3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.