ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Thread Converter

v1.0.0

Convert any long-form content into viral Twitter/X threads, LinkedIn posts, or Threads posts. Paste an article, blog post, or idea and get a platform-ready t...

0· 89·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (convert long-form text into social threads) matches the code's goal, but the package metadata claims no required binaries while analyze.sh clearly invokes external programs (openclaw agent, python3, date). The missing declared dependency on the openclaw CLI is disproportionate to the simple transformation purpose and is an inconsistency.
!
Instruction Scope
SKILL.md and analyze.sh instruct the agent to send the user's input to the 'openclaw agent --local' CLI. That will hand user content to another process (likely a model runtime). The script does not document where that data goes, whether it stays local, or whether network calls occur—so the instructions allow transmitting user content to an external service without disclosure. The script otherwise only reads its CLI args and emits generated text; it doesn't access other system files.
Install Mechanism
This is an instruction-only skill with no install spec and a single shell helper script. Nothing is downloaded or extracted during install. Low install footprint.
Credentials
requires.env lists nothing, which is consistent with no API keys, but analyze.sh depends on the 'openclaw' CLI and python3 at runtime. If the 'openclaw' CLI needs credentials or remote model access, that is not declared. No environment variables requesting secrets are present in the repository, but the script's runtime dependency could implicitly require credentials on the host.
Persistence & Privilege
always is false and the skill has no install step that modifies agent configuration or persists credentials. The script only runs when invoked and writes no files; no elevated or persistent privileges are requested.
What to consider before installing
Before installing or using this skill: 1) Be aware the included analyze.sh calls 'openclaw agent --local' and python3 but the skill metadata does not declare those binaries—verify you have these tools and understand what 'openclaw' will do (local-only vs. remote API calls). 2) Do not paste sensitive or private content until you confirm where the openclaw CLI sends data and whether it leaves your machine. 3) Prefer skills that explicitly list runtime dependencies and explain any network/model interactions. 4) If you want to proceed, inspect the openclaw CLI on your system (its source or docs), test the script with non-sensitive text, or run it in a sandboxed environment. 5) If the author/published repo is important to you, verify the GitHub homepage and author identity before trusting this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975g1d3k1s7yh0206hvbcdhfd83ex1j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments