ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Market Research Automation

v1.0.0

Market research automation skill. Mine user pain points from social media and analyze competitors. Applicable for market validation before product launch, us...

0· 23·0 current·0 all-time
by@openlark
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim: 'mine user pain points from social media' and 'analyze competitors'. Reality: the included Python script contains only mock/local MARKET_DATA and COMPETITOR_DATA and does not perform any network calls or social-media API access. SKILL.md admits 'current version uses mock data and can be extended to real API calls.' This is an explainable mismatch but means the skill does not currently deliver the 'mining' capability it advertises.
Instruction Scope
Runtime instructions are limited to running the script and installing dependencies (requests, beautifulsoup4, pandas). The SKILL.md references X/Twitter API and Google Trends as data sources, but the provided script does not use those services, nor does it request or demonstrate handling API keys. Instructions do not ask the agent to read unrelated system files or exfiltrate data, but they leave open-ended guidance for connecting to external APIs if extended.
Install Mechanism
No install spec is present (instruction-only). The only install guidance is a pip install recommendation for common libraries; there is no archived download, third-party install script, or obscure URL. This is low-risk as-is.
Credentials
The skill declares no required env vars or credentials. However, the documented purpose (mining social media / Google Trends) typically requires API credentials; the SKILL.md does not request them now. If the code is extended to call external APIs, it would need credentials — the current lack of declared env vars is coherent with the mock-only implementation but inconsistent with the advertised live-data capability.
Persistence & Privilege
Skill does not request persistent presence (always:false), does not modify other skill configurations, and the provided script only produces reports rather than modifying system settings. No elevated privileges are requested.
What to consider before installing
This skill is internally inconsistent: it advertises social-media mining and live competitor scraping but the shipped code only uses static mock data and makes no network or API calls. Before installing/using it: (1) If you expect live data, require the author to document exactly how API calls will be made and what credentials (if any) are needed. (2) Review any future changes that add requests/beautifulsoup usage to ensure API endpoints and credential handling are explicit and safe (no hardcoded tokens or unknown remote endpoints). (3) Only run pip installs and the script in an isolated environment if you plan to extend it to web-scraping. (4) If you will add API keys, store them in secure env vars and audit network calls to avoid accidental exfiltration. If you only need report/template generation from mock data, the package is low risk as-is.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4vxd47h5c0tam5rj8zke0184y3ew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments