ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Caption Ab Writer

v1.0.0

Caption A/B variant writer for social media. Generate 5 caption variations for any post with different angles, tones, and CTAs — ready to split test across I...

0· 73·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the behavior: the SKILL.md and analyze.sh prompt a model to produce 5 caption variants, hashtags, CTAs, and testing guidance. However, the bundled analyze.sh depends on the 'openclaw' CLI and python3 even though no required binaries were declared in the skill metadata/manifest, which is an inconsistency.
Instruction Scope
SKILL.md and analyze.sh are narrowly scoped to generating caption variants and A/B testing guidance. The script constructs a prompt and sends it to a local OpenClaw agent; it does not read arbitrary files or environment variables beyond creating a session id and processing the agent JSON output.
Install Mechanism
There is no install spec and no downloads. The skill is instruction + a small helper script, so it does not perform network installs or extract remote archives.
!
Credentials
The manifest lists no required credentials or env vars, which is appropriate for this simple caption generator. However, analyze.sh invokes the local 'openclaw agent' CLI; that CLI may read local config, auth tokens, or model credentials from the host environment (not declared here). The missing declaration of required binaries (openclaw, python3) and the implicit reliance on the local agent's configuration creates a proportionality/visibility concern.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request persistent privileges or attempt to modify other skills or system-wide settings.
What to consider before installing
This skill is largely coherent with its stated purpose, but exercise caution before running it. Specific steps to consider: - Inspect analyze.sh locally (you already have it) and confirm you understand what it does; it builds a prompt and calls the local 'openclaw agent' CLI and python3 for JSON parsing. - Be aware the script will send whatever you pass as the caption/topic to the local OpenClaw agent; that agent may read its own config and credentials on your machine — ensure those are safe and intended for use. - The skill metadata omitted required binaries; install or run only if you have and trust the openclaw CLI and python3 on your machine. - If you want less risk, run the prompt manually in a controlled environment or remove/replace the call to 'openclaw agent' with an explicit, audited API/CLI invocation you control. - Avoid passing sensitive or proprietary content to the script until you verify where the agent is sending or storing data and which credentials it uses.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f66etejbk43j562kga0fs2s83fmex

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments