ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Strategic Mentality

v1.2.0

Apply battle-tested business mentality frameworks from Sun Tzu (Art of War), Alex Hormozi ($100M Leads), The 12 Week Year, and Dan Kennedy (No BS Direct Resp...

0· 44·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a strategy/mentality framework (benign for advice). However, its instructions (HEARTBEAT.md and references) expect the agent to send scheduled Telegram messages, store trend data, run scrapers, query PageSpeed/social activity, and optionally use Resend/Calendly/Qwen Vision — none of which are declared in requires.env or install specs. Either the platform is expected to provide connectors (not documented), or the skill assumes access to external services that a user must authorize. This is an incoherence between purpose and the external capabilities the skill expects.
!
Instruction Scope
SKILL.md and HEARTBEAT.md explicitly instruct the agent to: (a) schedule weekly Telegram pings and monthly check-ins; (b) store weekly scores and trend history; (c) run reconnaissance (website checks, PageSpeed, social activity), and (d) optionally auto-load Nex AI-specific context which references internal endpoints and infrastructure. Those are operational actions beyond pure text advice and may cause network activity, data collection, or outbound messages. The instructions do not specify where credentials, chat IDs, or storage reside, and they grant broad discretion for scraping and automated outreach logic.
Install Mechanism
No install spec and no code files — the skill is instruction-only. That lowers disk/write risk: nothing will be downloaded or executed by an installer. The primary runtime surface is the agent following prose instructions.
!
Credentials
The skill requests no environment variables, yet references multiple services that normally require credentials (Telegram bots, Resend API, Calendly, Qwen Vision, Google/Maps scraping). The 'Nex AI Context' file contains private/internal endpoints and lists infrastructure (ports, domains, bots). Asking the agent to access those resources without declaring required env vars or explaining authorization is disproportionate and ambiguous — it could lead the agent to attempt to use platform-level credentials or hit internal endpoints unexpectedly.
Persistence & Privilege
HEARTBEAT.md configures recurring behavior (weekly Telegram pings, trend storage, execution alerts). 'always' is false and there's no install, so the platform would need to run a scheduler or the agent must be permitted to create persistent tasks. This persistent outbound communication capability is not inherently malicious but requires explicit user consent and clear configuration of where messages go and where data is stored.
What to consider before installing
This skill is mostly a set of well-structured business frameworks and templates, but it expects the agent to perform scheduled messaging, scraping, and use external services without declaring how it will obtain credentials or where it will store data. Before installing or enabling: - Confirm how Telegram pings are authorized: which bot/token and chat ID will be used, and that you explicitly consent to scheduled messages. - Ask where weekly scores and trend data will be stored (agent memory, platform DB, your account storage) and who can access them. - If you are not part of 'Nex AI', treat the Nex AI context as potentially environment-specific: it references internal endpoints, ports, and bots. Do not expose private network or credentials to this skill unless you control that environment. - If you want the automation (heartbeat, scrapers, email sequences), require the skill (or platform) to declare which environment variables or connectors it will use (Telegram_TOKEN, RESEND_API_KEY, etc.) and review those integrations separately. - If you only want advice/templates, restrict the skill from performing network actions or automated outreach until you've validated connectors and consent. Given the mismatch between instructions and declared requirements, proceed only after clarifying the above; otherwise treat the skill as text-only guidance and disable any automated outbound features.

Like a lobster shell, security has layers — review code before you run it.

latestvk971fy5nn8v7n5ew6trefnfz55849na4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments