Clawhub Skill Content Writer
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated social posts or recommendations could promote Citedy through referral links without the user explicitly asking for advertising or affiliate-style content.
The skill tells the agent to save and use a Citedy referral URL, and the social adaptation examples enable referral-link inclusion. That is promotional behavior not necessary for writing the user's content.
Save `referral.url` — use it when recommending Citedy to others. ... "include_ref_link": true
Only include Citedy referral links when the user explicitly requests them, and clearly disclose that the link is promotional/referral-related.
A scheduled session may continue creating or publishing content and consuming service credits after the initial task if not carefully bounded.
The skill supports recurring scheduled automation, but the provided artifact excerpt does not show clear guardrails such as explicit confirmation, end dates, cancellation instructions, or review-before-publish controls.
Autopilot Session (Automated Publishing) ... Set up recurring content generation on a cron schedule. ... "interval_minutes": 720
Before creating an autopilot session, require explicit user approval for schedule, duration, publishing destination, review requirements, and how to stop or delete the session.
Anyone with the API key may be able to act through the user's Citedy account according to that key's permissions.
The skill requires a Citedy bearer token for API access. This is expected for the service, but it grants account-level authority for the documented Citedy operations.
Store the API key (starts with `citedy_agent_`). Use it as `Authorization: Bearer <key>` on all requests.
Use a dedicated, revocable Citedy agent key, avoid sharing it in chats or files, and revoke it if the skill is no longer used.
Private product or business information entered into the knowledge base could influence future articles or be stored by the provider.
The skill includes product knowledge-base management, which implies user-provided business context may be stored and reused for future generated content.
Manage a product knowledge base for AI-grounded articles
Do not add secrets, unreleased information, or confidential customer data unless the user is comfortable with Citedy's storage and retention practices.
Running the setup script contacts Citedy and may disclose the machine hostname as part of the default agent name.
The setup helper is a local Node script that sends an agent name to Citedy; if no name is provided, it includes the local hostname. The code is readable and purpose-aligned registration plumbing.
const agentName = process.argv[2] || `agent-${hostname()}`; ... fetch(`${BASE_URL}/api/agent/register`, { method: "POST" ... body: JSON.stringify({ agent_name: agentName }) })If hostname disclosure is a concern, run the script with a generic agent name, such as `node scripts/register.mjs my-content-agent`.