ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Accuracy Checker

v1.0.1

Fact-check and attribution-check social media content (tweets, LinkedIn posts, blog intros) before publication. Uses web search to verify factual claims and...

0· 78·1 current·1 all-time
byNissan Dookeran@nissan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (pre-publication accuracy + attribution checks) aligns with the allowed tools (web_search, web_fetch) and the instructions to extract and verify claims. This capability legitimately needs web lookups. Note: the SKILL.md asserts searches will be "public only," but provides no mechanism to ensure queries do not include private/proprietary content from drafts.
!
Instruction Scope
The instructions require extracting all verifiable claims from drafts and running web_search/web_fetch queries against them. There are no explicit safeguards or redaction rules for sensitive or proprietary text; queries may therefore leak confidential content to external search providers. The skill also asks Archie to be given draft file paths and 'known sources' in the context packet — that could expose metadata or internal references not needed for public verification unless constrained.
Install Mechanism
Instruction-only skill with no install, no code files, and no downloads — minimal disk footprint and low installation risk.
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate to the stated purpose. However, the SKILL.md's security note about not transmitting private data is optimistic and not enforced by any declared constraint.
Persistence & Privilege
always is false and there are no indications the skill persists or modifies other skills or system-wide config. It requests typical Read/Write/Edit privileges to produce a report file, which fits its purpose.
What to consider before installing
This skill appears to do what it says (use web search to verify claims) but it lacks explicit protections for private or proprietary drafts. Before installing or using it in a pipeline: (1) confirm whether drafts may contain confidential information—if so, add redaction rules or limit what is sent to external web_search/web_fetch; (2) require the skill to log what queries it sent and to which endpoints (so you can audit potential disclosure); (3) consider restricting outbound network or using an internal search proxy for sensitive projects; and (4) ask the author to remove or qualify the blanket "no private data transmitted" statement and to add exact handling rules for draft content and metadata. If you cannot add these safeguards, treat the skill as higher risk for potential data leakage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0d898k13v1emj39atsf38583s9pw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments