Clawbridge Skill
v0.1.0Transforms your goals into nightly searches to find, rank, and summarize top candidate connections with evidence and outreach drafts for review.
⭐ 1· 1.5k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a web-scouting/lead-discovery agent that uses web_search, web_fetch and a browser — these tools fit the claimed purpose. However the README references third-party venues (e.g., Moltbook, communities) and requires managing secrets and rate limits but the skill declares no env vars or credentials. That mismatch (describing secret handling without declaring required credentials) is unexpected.
Instruction Scope
Instructions direct the agent to run nightly, scan the open web and communities, fetch profile pages, extract evidence URLs and draft outreach. Those actions legitimately involve collecting personal and contact data and may require site logins or API keys. The SKILL.md instructs to keep outreach manual, but otherwise is open-ended about what pages to fetch, how scheduling is set up, and how to avoid contacting entries in avoid_list — giving the agent broad discretion to crawl and collect data.
Install Mechanism
This is an instruction-only skill (no install spec or code). The doc suggests installing a CLI (clawhub / clawdbot) via npm or cloning a GitHub repo, but the skill package itself performs no automated installs. Because installs are user-directed and from typical sources (npm, GitHub), there's no immediate red flag — but the skill's operation may depend on external CLIs whose provenance should be verified before use.
Credentials
The skill explicitly states security defaults like 'Keep secrets out of prompts' and 'pass via env/config only' yet the package declares no required environment variables or primary credential. If this skill needs API keys, site credentials, or gateway tokens to access target venues, those are not declared here — an incoherence that could lead users to misconfigure secrets or accidentally expose them in prompts.
Persistence & Privilege
The SKILL.md describes persistent, nightly scouting. The skill metadata does not set always:true and does not request special persistence rights, so persistence would be implemented externally (CLI/scheduler). This is not inherently malicious, but the documentation implies recurring autonomous behavior that the metadata does not make explicit — verify how scheduling is implemented before enabling autonomous runs.
What to consider before installing
This skill is an instruction-only lead-scouting agent that will crawl sites and assemble contact briefs. Before installing: 1) Verify the provenance of the suggested CLIs (clawhub/clawdbot) — install only from trusted sources. 2) Clarify where and how nightly scheduling runs are created (do you need a system cron, ClawHub scheduler, or will the skill run autonomously?). 3) Identify any required credentials (site API keys, account logins) and keep them out of prompts; the package currently does not declare these, so ask the author which env vars are needed. 4) Expect collection of personal/contact data — ensure this complies with relevant privacy laws (GDPR, CAN-SPAM) and your own policies. 5) Run first in a sandboxed environment with strict rate limits and the avoid_list set, and confirm the skill will never auto-send outreach as promised. Providing the full list of external venues/APIs, required env vars, and a concrete scheduling/install procedure would reduce risk and increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97ekjs9m2xrcacyzyqr007mvn80dgjh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.