ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aquaponics Farm Video

v1.0.0

AI video creation for aquaponics farms, wealth management practices, independent financial planners, and registered investment advisors — generate retirement...

0· 40·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's display name and slug imply 'aquaponics farm' video creation, but the SKILL.md content is almost entirely about marketing videos for financial planners, RIAs, and fiduciary advice. This naming/description mismatch is incoherent and could indicate sloppy composition or intentional mislabeling. Nothing in the manifest (no env vars, no binaries) explains why the title and description diverge.
Instruction Scope
This is an instruction-only skill (SKILL.md) with no code. The visible portion is a long marketing-style instruction set for producing advisor-targeted videos. I could not see the entire SKILL.md here, so I cannot fully verify whether the runtime steps ask the agent to read local files, export data, or call external endpoints. The skill’s purpose involves producing financial-advice-style content; that raises regulatory and impersonation risks (creating content that looks like professional fiduciary advice) which the user should consider even though no secrets are requested.
Install Mechanism
No install spec and no code files — lowest technical installation risk. Nothing is downloaded or written to disk by the manifest.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to an instruction-only content-generation skill. However, absence of requested credentials does not prevent the SKILL.md from directing the agent to output content that could be used to impersonate licensed advisors.
Persistence & Privilege
always:false and no special privileges requested. Autonomous invocation is allowed by platform default, which is normal; the skill does not request persistent system-wide changes in the manifest.
What to consider before installing
This skill is suspicious mainly because its name (aquaponics) and its description (financial-advisor marketing videos) don't match — that could be an accidental mix-up or intentional mislabeling. Before installing: (1) review the entire SKILL.md to confirm what runtime actions it actually instructs the agent to do (look for any network endpoints, upload steps, or requests for user data), (2) do not supply any credentials or private client data to the skill, (3) be cautious about using it to generate content that could be interpreted as professional financial advice or that impersonates licensed advisors (check compliance/legal teams), and (4) if you plan to use it in production, test it in a sandbox and ask the publisher for provenance (homepage, maintainer contact, and clarification of the naming mismatch). If you can share the full SKILL.md I can re-evaluate instruction-level risks (e.g., data exfiltration, outbound endpoints).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ap7jek849m5m8sjz338anhx84fc7h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments