ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Promify Creative Generator

v1.0.2

Generate high-quality ad creatives from a product URL using the Promify API. Use when the user provides a product link and wants to generate ad images, marke...

0· 35·0 current·0 all-time
byPromify AI@promify
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the requested capability. The only required credential is PROMIFY_API_KEY which is expected for calling Promify's API. No unrelated binaries, packages, or config paths are requested. Asking users to edit ~/.openclaw/openclaw.json to add the key is a somewhat heavy-handed but explainable setup step.
!
Instruction Scope
SKILL.md tells the agent to fetch arbitrary product pages and extract data, then immediately submit that data to promify.ai without an extra explicit user confirmation. It also instructs the user to 'Please paste your API Key here:' (ambiguous whether into chat), which risks users leaking secrets into conversation history. The instructions also direct editing the OpenClaw config file with a literal API key, which is functional but increases stored-secret exposure. Overall the steps are within the skill's purpose but contain actions that can leak sensitive data or operate with more autonomy than some users expect.
Install Mechanism
No install spec; instruction-only skill. No downloads or archives, so low install risk.
Credentials
Only PROMIFY_API_KEY is required, which is proportionate. However, the instructions encourage storing/pasting the API key in plaintext (chat and/or ~/.openclaw/openclaw.json), which increases risk of accidental exposure. The skill does not request other unrelated credentials.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill's instructions tell users how to add the key to their OpenClaw config, which is a reasonable setup action but does require writing a secret into a local config file—this is not performed automatically by the skill and does not modify other skills' configs.
What to consider before installing
This skill is largely consistent with its stated purpose, but take these precautions before installing/using it: - Do NOT paste your PROMIFY_API_KEY into chat if you want to keep it private. Prefer adding it to the agent's config file or environment variables via a secure channel. - If you must add the key to ~/.openclaw/openclaw.json, be aware it will be stored in plaintext there; consider file permissions and rotating the key if compromised. - The skill will fetch the provided product URL and submit its extracted data to promify.ai. Confirm exactly what will be sent (images, descriptions) before the submission to avoid leaking private content. - Consider asking the agent to show the parsed product info and explicitly request your approval before Step 3 (the SKILL.md currently says to proceed immediately). - Check Promify's privacy and data-retention policies (https://promify.ai) and monitor your API quota/usage. If you inadvertently share the key in chat, revoke/rotate it immediately. If you accept these privacy trade-offs and follow the precautions above, the skill's requirements and behavior appear coherent with its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk971m2a1mrp97qxg97fmy5x8z184e1c9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
EnvPROMIFY_API_KEY
Primary envPROMIFY_API_KEY

Comments