Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Fitness Content Empire Builder: Research, Script and Produce 30 Viral Fitness Videos Per Month in 2 Hours
v1.0.0Automates researching, scripting, and producing 30 viral, fully optimized fitness videos monthly across top platforms in just 2 hours.
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's description requires heavy use of external services (Apify scrapers, InVideo AI, Claude AI) and deploying 10 scrapers simultaneously, which normally requires service accounts, API keys, and possibly SDKs or network access. The skill metadata declares no required environment variables, no primary credential, and no required binaries — this is inconsistent with the stated functionality and indicates missing or undeclared external dependencies.
Instruction Scope
The SKILL.md explicitly instructs the agent to run large-scale scraping across many platforms and to produce 30 videos via InVideo AI. Those runtime instructions imply network calls, API usage, and account credentials, but the manifest provides none. The instructions give broad operational tasks (deploy scrapers, reverse-engineer creators) that grant wide discretion but do not specify where credentials come from or limits on data collection.
Install Mechanism
This is an instruction-only skill (no install spec, no code). That lowers disk/execution risk, but it also increases the incoherence: a skill that depends on multiple hosted services usually lists required credentials and client libraries or CLI tools. The absence of any install or dependency information is unexpected for the claimed behavior.
Credentials
The functionality clearly needs API keys/tokens for Apify, InVideo and probably an LLM provider (Claude) and possibly platform-specific credentials or proxies, yet requires.env is empty and no primaryEnv is declared. Requesting no credentials while instructing mass scraping/production is disproportionate and ambiguous — a user would have to supply high-privilege credentials ad hoc, which is risky if not explicitly declared.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent system presence or claim to modify other skills. There are no metadata flags indicating elevated privileges.
What to consider before installing
This skill makes big claims but leaves out critical operational details. Before installing or running it: (1) ask the publisher for a clear list of required API keys and where they will be stored; (2) require least-privilege, dedicated API keys for Apify, InVideo, and Claude (do not reuse personal account keys); (3) verify the skill's source and homepage and request code or a reproducible playbook for the scraping/production steps; (4) consider legal/ToS risks of mass-scraping social platforms and ensure you have appropriate proxies/quotas; (5) test in an isolated environment and never paste long-lived credentials into an untrusted skill; (6) if the vendor cannot explain why no credentials are declared in the manifest, treat the skill as untrustworthy and avoid providing account secrets.Like a lobster shell, security has layers — review code before you run it.
fitness-content fitness-marketing apify invideo fitness-youtube fitness-tiktok workout-videos fitness-creator gym-content fitness-instagram health-content fitness-channel workout-content fitness-brand personal-trainer-content fitness-video gym-tiktok fitness-social-media health-fitness-content fitness-monetizationvk975cb5mhm09v3pq89kqwda48s83m7bblatestvk975cb5mhm09v3pq89kqwda48s83m7bb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.