ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Hook Generator

v1.0.0

Viral hook generator for social media posts. Generate 10+ scroll-stopping opening lines for X/Twitter, LinkedIn, TikTok, Instagram, and Threads optimized for...

0· 71·1 current·1 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a 'viral hook generator' and the included analyze.sh implements that by constructing a prompt and asking a local OpenClaw agent to produce hooks — functionally coherent. However the registry metadata declares no required binaries or env vars, yet analyze.sh invokes the 'openclaw' CLI and 'python3'. The metadata omission is an inconsistency: the script legitimately needs those binaries to run.
Instruction Scope
SKILL.md and analyze.sh stay within the stated task (generate hooks, produce variations, A/B pairs, and platform adaptations). The script does not read unexpected files or environment variables. However it runs 'openclaw agent --local ...' which hands the user's input (the topic/platform) and a crafted prompt to another program; that program may perform network calls or use credentials not visible here, so there's an indirect data flow to review.
Install Mechanism
There is no install spec (instruction-only plus a shell script), so nothing is automatically downloaded or written during install. That is lower risk. The risk comes from runtime requirements (external binaries) rather than installation.
!
Credentials
The skill declares no required credentials or env vars, which would be appropriate for a simple generator. But because analyze.sh invokes the 'openclaw' CLI, any credentials or configuration that CLI uses (API keys, agent tokens, telemetry settings) are implicitly in-scope even though not disclosed. Additionally the script uses python3 but that is not declared. The absence of declared runtime dependencies and potential indirect use of agent credentials is disproportionate to what's documented.
Persistence & Privilege
The skill is not marked always:true, does not attempt to modify other skills or system config, and appears to only run a single local command at invocation. No persistent or elevated privileges are requested by the skill itself.
What to consider before installing
This skill appears to do what it says (generate social-media hooks), but there are important metadata inconsistencies you should resolve before using it widely. The analyze.sh script calls the 'openclaw' CLI and 'python3' at runtime even though the skill metadata lists no required binaries — ask the author to update metadata to declare these dependencies. Before running the script, verify where the 'openclaw' binary comes from and whether it will send your input to any remote service or reuse agent credentials (it may read local agent config or network). If you cannot confirm that, run the script in a sandboxed environment or inspect/run it manually with safe inputs. If you plan to install/use this in a production environment, request an updated package that declares required binaries (openclaw, python3) and documents any network/telemetry behavior; otherwise treat this skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97beasn5h0f3eyj286nnvd7c583fqk2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments