Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Archery Club Video
v1.0.0AI video creation for archery clubs, wealth management practices, independent financial planners, and registered investment advisors — generate retirement pl...
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is named "Archery Club Video" but the description and use cases are almost entirely about financial-advisor marketing and regulated financial topics — the name appears misleading or copy-pasted. The metadata declares no binaries, env vars, or install steps, yet the SKILL.md (truncated) contains an apiDomain reference, suggesting it will call an external service; that external integration is not declared in the registry metadata or homepage, which is inconsistent with the stated purpose.
Instruction Scope
SKILL.md is large and focused on creating marketing/financial videos; it includes an apiDomain value (truncated to "https://meg...") which implies runtime network calls to an external endpoint. The registry lists no required environment variables or credentials, so either the skill calls an unauthenticated public endpoint (possible but unusual for video generation) or it omits required credential declarations. Because the full SKILL.md is truncated here, I cannot confirm whether it instructs the agent to collect or transmit sensitive client financial or PII data, but the content domain (retirement, Social Security, rollovers, inheritances) makes that a realistic possibility — that raises scope and privacy concerns.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing written to disk by an installer).
Credentials
The registry declares no required environment variables or primary credential. That is plausible for a purely local template generator, but inconsistent if SKILL.md uses an external API (apiDomain) that normally requires an API key. Also, the skill deals with sensitive financial scenarios; absence of declared secure handling, consent prompts, or explicit data-retention policy is notable and should be clarified.
Persistence & Privilege
always:false and default invocation settings — no elevated persistence or forced inclusion. The skill does not request system-wide config changes or special placement in the agent.
What to consider before installing
Before installing, ask the publisher these questions and take these precautions:
- Clarify the mismatch: why is the skill named "Archery Club Video" while the content is financial-advisor marketing? Ensure the name/description weren't miscopied.
- Ask for the full SKILL.md and the exact apiDomain URL. If the skill sends text, client names, or financial details to an external service, get the service's privacy/security documentation and confirm where data is stored and who can access it.
- Confirm whether the external API requires credentials. If it does, the skill should declare required env vars and explain how secrets are protected — do not provide API keys or client financial data until you verify this.
- Avoid pasting real client PII, account numbers, or tax/health data into the skill until you know how and where data will be transmitted and stored.
- Request a homepage, source, or contact for the owner (none is listed). If the publisher cannot provide provenance and a clear data-handling policy, treat the skill as higher risk and consider not installing it.
Because the available SKILL.md was truncated here and the registry metadata omitted an endpoint/homepage/credential declaration, I recommend obtaining the full SKILL.md and endpoint details; that information could easily change this assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk973t8nw8za7jdc6emqvzms7y584edvy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.