Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Social Monitor
v1.0.0Monitor real-time brand mentions across Twitter, Reddit, forums, and news with sentiment analysis, crisis detection, and instant alerts via Slack or Telegram.
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (monitor brand mentions, sentiment, alerts) matches the actions described in SKILL.md (use Apify for scraping, Claude for analysis, Slack/Telegram for alerts). The required services and packages in the instructions are coherent with the stated capability.
Instruction Scope
SKILL.md explicitly instructs the agent/operator to obtain and export multiple secret credentials (APIFY_TOKEN, CLAUDE_API_KEY, SLACK_WEBHOOK_URL, TELEGRAM_BOT_TOKEN/CHAT_ID) and to run networked scrapers and API calls. The instructions do not attempt to read local system files, but they do direct repeated network access and transmission of monitored content to external services (Apify, Claude, Slack/Telegram). The bigger problem: these env-var requirements appear in SKILL.md but were not declared in the skill metadata, creating a transparency gap.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md tells users to run `npm install apify-client axios node-cron dotenv`. This is a typical dependency list for a Node-based implementation (moderate risk). No arbitrary binary downloads or obscure URLs are requested; however, because the skill is instruction-only, there is no bundled code to audit.
Credentials
The environment variables requested by the runtime instructions (Apify token, Claude API key, Slack webhook, Telegram bot token/chat id) are sensible for the described functionality. However, the registry metadata incorrectly lists 'Required env vars: none' and 'Primary credential: none' — that mismatch is a notable red flag because it hides the fact the skill requires private credentials. Users should treat the listed example tokens as placeholders and avoid pasting production master keys without scoping and rotation.
Persistence & Privilege
The skill does not request always:true and is user-invocable. There is no instruction to modify other skills or system-wide settings. Autonomous invocation is permitted (platform default) but not by itself a problem here.
What to consider before installing
Before installing or running this skill: (1) note that the registry metadata claims no credentials, but the SKILL.md requires APIFY_TOKEN, CLAUDE_API_KEY, and optional Slack/Telegram secrets — treat this as a transparency/integrity issue. (2) Only provide tokens that are scoped and rotatable (create limited-scope keys or deploy in a throwaway/test account first). (3) Because this is instruction-only with no code bundle to inspect, ask the publisher for the actual implementation code or prefer a skill with a verifiable source/homepage. (4) Run any untrusted scraping/analysis in an isolated environment to limit exposure of tokens and data. (5) Verify Apify actor IDs and any third-party endpoints used, and review costs/privacy implications of continuous scraping. If you cannot verify the source or cannot supply scoped credentials, do not install or run the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk977qp49ec2fw6srrhdz2g5wds84b6vh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.