ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content Audit Expert

v1.0.0

Analyze and audit content for readability, tone, and sentiment with AI-powered insights. Use when the user needs content improvement recommendations, repurpo...

0· 54·0 current·0 all-time
by@ncreighton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill promises integrations and reporting (Google Sheets/Drive, Slack, WordPress) and automated reporting, but the declared requirements only include OPENAI_API_KEY and curl. No Slack webhook, Google OAuth credentials, WordPress credentials, or other integration tokens are requested. That mismatch suggests either the SKILL.md expects users to paste credentials at runtime or contains undocumented network calls.
Instruction Scope
SKILL.md is instruction-only and appears to direct the agent to analyze content and produce audits and Slack/Sheets reporting. Because there is no install or code, runtime behavior depends entirely on the agent following prose. The instructions could cause the agent to send content to external endpoints (e.g., Slack webhooks or Google APIs) even though those endpoints/credentials are not declared. The instructions do not (in the visible fragment) require reading unrelated local files or secrets, but the title and description explicitly reference external integrations which are not authorized in requires.env.
Install Mechanism
No install spec and no code files — lowest install risk. The skill is instruction-only so nothing will be written to disk by an installer. Required binary curl is reasonable for making HTTP requests.
!
Credentials
Only OPENAI_API_KEY is required, which is appropriate for an AI-powered audit. However, the skill's claims about Slack, Google Sheets/Drive, and WordPress integrations would normally require additional credentials (webhooks, OAuth tokens or API keys) that are not declared. That omission is disproportionate to the claimed features and could hide ad-hoc prompts asking for credentials at runtime or arbitrary HTTP endpoints.
Persistence & Privilege
always is false and there is no install behavior or persistent presence requested. The skill does not request system-wide configuration changes or permanent privileges.
What to consider before installing
This skill is instruction-only and uses your OpenAI key, which makes it plausible for content analysis. However, it repeatedly claims Slack/Google/WordPress integrations but does not declare the credentials those services need. Before installing or using it: 1) ask the author how integrations are authorized and whether the skill will request or accept webhooks/tokens at runtime; 2) do not paste or type unrelated secrets (Slack webhooks, Google OAuth tokens, WordPress passwords) into prompts unless you trust the skill and understand where they'll be sent; 3) prefer skills that explicitly declare required env vars for each integration; and 4) if you need to test, run audits with non-sensitive sample content first and monitor network calls (or restrict outbound network access) to ensure no unexpected exfiltration occurs.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rx0yhnk6jgpahd0pefeyqx83g0wv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
OSmacOS · Linux · Windows
Binscurl
EnvOPENAI_API_KEY

Comments