ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Audience Profiler

v1.0.0

Target audience profiler for social media strategy. Build detailed audience personas with psychographics, pain points, content preferences, and platform beha...

0· 102·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
stale
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (build audience personas) aligns with the included analyze.sh which builds a prompt and generates persona text. However, the skill manifest declares no required binaries while the script clearly requires the 'openclaw' CLI and python3 (and implicitly a working CLI model backend). This is a mismatch between declared requirements and actual actions.
!
Instruction Scope
SKILL.md itself is scoped to persona generation, but analyze.sh constructs a prompt from user input and runs 'openclaw agent --local' which performs a model invocation using local agent context. That means any input you pass to the script is forwarded to the agent/model run (and potentially outbound network calls handled by the agent). The instructions do not declare or warn about that data flow.
Install Mechanism
There is no install spec (instruction-only), which is low-risk for installation artifacts. However, the skill ships a runnable shell script (analyze.sh) that will be executed by the agent environment; no archives or external downloads are performed.
Credentials
No environment variables or credentials are requested in metadata. That said, the script implicitly relies on the local 'openclaw' agent runtime (which may use local config or credentials) and on python3 being present. Those implicit dependencies are not declared.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It simply invokes the local agent at runtime; it does not install persistent components.
What to consider before installing
Before installing or running this skill: (1) Inspect analyze.sh yourself — it sends whatever you pass as the audience prompt to 'openclaw agent --local', so sensitive or proprietary input will be forwarded to your agent/model runtime. (2) Ensure you trust the local OpenClaw CLI and its configured model backend. (3) Note that python3 and the openclaw CLI are required but not declared; do not run the script in an environment where those binaries or credentials are unknown. (4) If you want to minimize data exposure, run the prompt on an isolated machine or adjust the script to use a local-only model or to sanitize inputs. If you need more confidence, ask the publisher for clarification about the intended runtime and why required binaries were not listed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ard8d95gqsab3hqyx2xxj2183e8wr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments