ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Newsletter Monetization

v1.0.0

Automate researching viral content, generating complete newsletters, identifying growth tactics and monetization, plus creating video teasers for effortless...

0· 27·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The advertised functionality (scraping trending content, using Apify, producing videos with InVideo, and writing with Claude) legitimately requires API credentials and access to external services. The SKILL.md explicitly lists apify_token and invideo_api_key in its example inputs and references Claude AI, but the registry metadata declares no required env vars or credentials — that is inconsistent.
!
Instruction Scope
Runtime instructions direct the agent to perform broad scraping across Google News, Reddit, Twitter/X, LinkedIn and to analyze top newsletters. It also instructs calls to InVideo and Claude. The SKILL.md does not describe how credentials are supplied, where scraped data is stored, or any limits on what is collected. That open-ended scraping and external API use go beyond what the metadata declares.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers risk compared to skills that download and execute code.
!
Credentials
The skill's example input requires apify_token and invideo_api_key (and implicitly an LLM/Claude credential), but the registry lists no required environment variables or primary credential. Multiple external API keys are reasonable for the described tasks, but not declaring them is incoherent and prevents proper review of least-privilege implications.
Persistence & Privilege
The skill does not request 'always: true' and has no install actions that would persist or change other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.
What to consider before installing
Do not install or run this skill until the author clarifies how credentials are handled. Key questions to ask: (1) Which exact environment variables or secrets are required (Apify token, InVideo API key, Claude or other LLM API key)? (2) Where and how does the agent send scraped data and API requests (endpoints, retention policy)? (3) Is there any code run locally or remotely (Apify actors) and who controls it? If you proceed, only provide least-privilege API keys (scoped tokens), test in an isolated account, and be aware the skill will transmit scraped content and your newsletter data to external services — review terms of service and copyright implications for scraping and republishing third-party content.

Like a lobster shell, security has layers — review code before you run it.

latestvk974zxv5np5w7p9bsm38r40r7n845t5z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments