ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content360

v1.0.0

Integrates with Content360 (app.content360.io) to create, schedule, and publish social media content across Facebook, LinkedIn, X, Instagram, YouTube, TikTok...

0· 60·0 current·0 all-time
by@noesis-boss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate Content360 and the code/docs show it does: it needs Content360 auth and a Notion integration to sync posts. However the registry metadata declares no required environment variables or primary credential while the SKILL.md/README/script clearly require CONTENT360_EMAIL, CONTENT360_PASSWORD, CONTENT360_API_KEY, CONTENT360_ORG_ID, NOTION_API_KEY and NOTION_DATABASE_ID. That mismatch is unexpected and unexplained.
Instruction Scope
Runtime instructions and the included script perform actions matching the stated purpose: logging into Content360, reading a Notion database, creating posts, and updating the Notion 'Posted' checkbox. The instructions do not appear to request unrelated local files or system credentials. They do, however, direct the agent to store and use multiple secrets and to modify remote Notion pages (marking posts as posted), which is destructive by design and should be explicitly approved by the user.
Install Mechanism
No install spec and only a simple pip dependency (requests) is used per README. There are no external downloads or obscure install sources. No binary install or archive extraction is present.
!
Credentials
The script requires multiple sensitive environment values (Content360 email/password and bearer token, org ID, Notion API key and database ID). Those are proportionate to the declared functionality, but the registry incorrectly lists none, and README contains hard-coded example values (an email, ORG id and a Notion DB id). Hard-coded identifiers and an example email are suspicious and could indicate leaked defaults or sloppy copy-paste.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. It will, however, modify remote Notion pages (marking posts as posted) which is part of its intended behavior and requires user consent.
What to consider before installing
This package mostly does what it says (sync Notion → Content360) but contains troubling inconsistencies. Before installing: 1) Do not provide your Content360 password or Notion token unless you trust the source — prefer issuing scoped tokens and use only the minimum credential required. 2) Verify the full script (the file provided is truncated in the listing) for any hard-coded endpoints or exfiltration logic. 3) Ask the publisher for a homepage, source repo, and explanation for why registry metadata lists no required env vars. 4) Remove or rotate any tokens/ passwords after testing. 5) Test in an isolated account/environment (and a throwaway Notion database) because the script will modify remote data (it marks items as Posted). If you cannot verify the origin or full code, treat this skill as high-risk and avoid supplying real credentials.

Like a lobster shell, security has layers — review code before you run it.

automationvk97d9v7td222p0vkrn7k2dmqvd84ndmrcontentvk97d9v7td222p0vkrn7k2dmqvd84ndmrlatestvk97d9v7td222p0vkrn7k2dmqvd84ndmrnotionvk97d9v7td222p0vkrn7k2dmqvd84ndmrsocial-mediavk97d9v7td222p0vkrn7k2dmqvd84ndmr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments