Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
UGC Creator Machine
v1.0.0Find brands actively buying UGC, generate winning ad scripts, personalized pitches, rate cards, and produce 5 demo videos plus a 30-day client acquisition plan.
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to scrape TikTok/Meta/Instagram/LinkedIn and produce videos via InVideo AI and to use Apify and Claude AI. Yet the manifest declares no required environment variables, no API keys, no install steps, and no helper binaries. A skill that actually performs scraping and calls external APIs would normally require API keys, tokens, or at least clear instructions on authentication and allowed network endpoints. The lack of declared credentials or install mechanisms is incoherent with the stated purpose.
Instruction Scope
SKILL.md describes scraping ad libraries and LinkedIn to find decision‑makers and extracting top performing creatives — actions that involve web scraping and collecting contact/personal data. The provided instructions (excerpt) remain within the high‑level purpose, but they don't explain how authentication, rate limiting, or legal/ethical constraints are handled. They also imply network I/O to multiple external services without declaring how the agent should authenticate or where resulting data (including personal contacts) will be stored or transmitted.
Install Mechanism
This is an instruction‑only skill with no install spec or code files, which by itself is low risk because nothing is written to disk. However, the workflow depends on external services (Apify, InVideo) that would normally require an integration path — those integration details are missing rather than handled via an install mechanism.
Credentials
No environment variables or primary credentials are declared, yet the skill explicitly references paid third‑party services (Apify, InVideo, Claude). That implies missing required secrets (API keys/tokens). Requesting no credentials when external APIs are central to operation is disproportionate and ambiguous. Also the skill's goal to extract decision‑maker contacts suggests collection of personal data; there is no guidance on consent, storage, or data minimization.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user‑invocable only. There is no apparent excessive privilege requested in the manifest itself.
What to consider before installing
Do not install or run this skill until the author provides clarifications. Ask for explicit, concrete details: (1) a list of required environment variables or API keys (Apify token, InVideo API key, Claude API key) and justification for each, (2) exact network endpoints the skill will call and whether those calls go through the platform or a third‑party server, (3) how authentication is performed and whether you must supply personal credentials (never share long‑lived personal passwords; prefer scoped API tokens), (4) where scraped data and generated videos are stored and for how long, and how personal/contact data is handled (consent, privacy), (5) sample API calls or a minimal runbook showing how the skill uses Apify/InVideo/Claude so you can audit expected behavior. If you must proceed, only supply least‑privilege, revocable API keys, test in an isolated account, and consider disabling autonomous invocation until you can verify runtime behavior. If the author cannot supply required integration details, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk974q6pphzpkerhx9a0m5m9q8584frgz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.