Clawhub Skill Lead Magnets
Security checks across malware telemetry and agentic risk
Overview
This is a mostly coherent Citedy lead-magnet generator, but it can publish public lead-capture pages and tells the agent to store and reuse a Citedy referral link without a clear user-confirmation boundary.
Install only if you intend to use Citedy and are comfortable giving the agent a Citedy API key. Generate drafts first, require your approval before any publish or auto_publish action, and do not allow the agent to reuse Citedy referral links unless you explicitly want that.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A page could be made public and start collecting visitor emails before the user has reviewed or approved the final content.
The example shows the agent can publish a lead magnet immediately, and the visible instructions do not add an explicit human confirmation step before public publication.
"auto_publish": true ... "Published immediately with a shareable link."
Keep generated lead magnets as drafts by default and require explicit user approval before using auto_publish or sending a publish request.
The agent may promote Citedy with a referral link in later conversations, potentially biasing recommendations without the user's explicit request.
This instructs the agent to remember and reuse a referral link in future recommendations, which is promotional behavior outside the core lead-magnet generation task.
Save `referral.url` — use it when recommending Citedy to others.
Do not store or use referral links unless the user explicitly asks for them, and disclose referral use whenever sharing such links.
Anyone or any agent with the key may be able to create, modify, or publish Citedy lead magnets according to the key's permissions.
The Citedy API key is expected for the integration, but it gives the agent delegated authority to act against the user's Citedy account.
requires: env: - CITEDY_API_KEY ... Use it as `Authorization: Bearer <key>` on all requests.
Use a dedicated, revocable Citedy agent key with the minimum needed permissions and rotate it if exposed.
If the key is stored insecurely or appears in chat history, another party with access to that context could reuse it.
The setup flow asks the user to paste and store a sensitive credential in the agent context; this is purpose-aligned but needs careful handling.
After approving, copy the API key shown and paste it here. ... Store the API key
Store the key in an environment variable or secret manager rather than ordinary chat memory, and avoid sharing it in logs or transcripts.
Users have less external context for verifying the publisher or project beyond the provided artifacts.
The runnable helper script is included and small, but the registry metadata provides limited provenance for the package.
Source: unknown; Homepage: none; Install specifications: No install spec
Review the included script before running it and verify that Citedy is the intended service provider.