Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Online Course
v1.0.0Automates validating course topics, reverse-engineers top courses, generates curriculum, scripts, sales copy, launch emails, and promo video for a ready-to-l...
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is automated scraping (Udemy, Google, Reddit, YouTube, Twitter/X) and calling paid services (Apify, InVideo AI, Claude). However, the registry metadata shows no required environment variables, no install steps, and no code files. Performing the claimed actions would normally require API keys/accounts, network access, or installable scrapers; the absence of declared credentials or runtime requirements is inconsistent and unexplained.
Instruction Scope
The SKILL.md explicitly instructs scraping public sites and aggregating competitor/course data, then sending that data to third‑party services for analysis and video generation. That scope includes collecting large amounts of external content (and possibly copyrighted or sensitive user content) and transmitting it off‑platform. The instructions appear broad (many sources) and rely on external services — the policy/behavior around what is collected, how it's filtered, and where it's sent is not documented in the skill manifest.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which means nothing will be written to disk by an installer — lower installation risk. However, being instruction-only increases reliance on external services and runtime decisions by the agent.
Credentials
Despite heavy reliance on external APIs (Apify, InVideo AI, Claude) and likely need for API keys, no env vars or primary credential are declared. That mismatch is disproportionate: either the skill will prompt for credentials ad hoc at runtime, or it silently assumes the platform provides keys — neither is documented. This raises risk of accidental credential disclosure or unexpected network traffic to third parties.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not declare modifications to other skills or system configuration. Autonomous invocation is permitted by default but is not combined with elevated persistence here.
What to consider before installing
This skill is suspicious because it promises heavy web scraping and third‑party API usage but declares no API keys, installs, or storage behavior. Before installing or running it, ask the maintainer for: (1) a complete list of required API keys/accounts (Apify, InVideo, Claude, any site-specific APIs) and where/how they are stored; (2) a data-flow description showing exactly what is scraped, what is sent to third parties, and whether scraped content may include copyrighted or personally identifiable data; (3) rate‑limit and cost expectations for external services; (4) a privacy/retention policy for logs and uploaded content. If you proceed: do not paste sensitive credentials into an unverified prompt, prefer supplying your own API keys with minimal scopes, run initial tests in a sandbox account, and monitor outbound network activity and billing. If the maintainer cannot provide clear answers or asks for unrelated credentials, decline to install.Like a lobster shell, security has layers — review code before you run it.
latestvk97drng669g6hcqegggwx6xhbd840s4b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.