Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
market-kit-skills
v1.0.0Use when the user needs marketing deliverables such as campaign plans, Xiaohongshu notes, audience positioning, selling-point refinement, reference-grounded...
⭐ 0· 62·0 current·0 all-time
byJustAI@qinshimeng18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description describe marketing outputs (campaigns, Xiaohongshu notes, images). The bundled scripts actually call a JustAI OpenAPI (justailab.com) and expect/obtain an API key (JUSTAI_OPENAPI_API_KEY) and can scope projects/skills — that capability is coherent with marketing purpose. However the package metadata declares no required environment variables or config paths while the code clearly depends on and manages an API key and a base URL. The omission of those requirements in the metadata is a mismatch and should be justified.
Instruction Scope
SKILL.md instructs the agent to run bundled scripts (list_projects.py, list_skills.py, chat.py, chat_result.py). Those scripts perform network calls to justailab.com, poll long-running generation, and (via _common.py) will read and write local config files and shell rc files (e.g., ~/.codex/justai-openapi-chat.json, ~/.claude/justai-openapi-chat.json, ~/.zshrc, ~/.bashrc). The runtime instructions do not explicitly warn users that the scripts will modify shell startup files or persist API keys, creating scope creep compared to a simple 'generate marketing copy' description.
Install Mechanism
This is an instruction-only skill with bundled Python scripts (no download/install step from external arbitrary URLs). There is no install spec that fetches remote executables. That lowers install-time risk.
Credentials
The registry metadata lists no required env vars, but the code expects/uses JUSTAI_OPENAPI_API_KEY, JUSTAI_OPENAPI_BASE_URL, and JUSTAI_OPENAPI_TIMEOUT and includes logic to read these from local config or shell rc and to persist them back into shell rc and a local config file. Requesting and persisting an API key (and modifying shell rc) is significant privilege and should have been declared. The number and sensitivity of environment/config touches is disproportionate to what the metadata advertised.
Persistence & Privilege
The skill will persist API keys and settings to user home files (writes rc files and ~/.codex or ~/.claude json) via persist_api_key and persist_local_config. 'always' is false, and autonomous invocation is allowed (default), but the code's behavior of modifying shell startup files and local config is a non-trivial side effect and should be explicitly disclosed and justified in metadata/instructions.
What to consider before installing
This skill does implement the marketing functionality it advertises, but it also expects a JustAI API key and will read and write configuration in your home directory (shell rc files like ~/.zshrc or ~/.bashrc and local JSON config files) and contacts justailab.com. The registry metadata does not declare those environment variables or config writes — that's the main mismatch and risk. Before installing: (1) only install if you trust the justailab endpoint and the skill author; (2) review scripts/_common.py (persist_api_key, _candidate_config_paths, and network request code) to understand exactly what will be read/written and when auto-login runs; (3) prefer running these scripts in an isolated environment (throwaway account, container, or VM) if you need to test; (4) if you will use it on a real account, prepare to provide an API key explicitly and verify the skill will not overwrite unrelated shell rc entries; and (5) ask the maintainer to update metadata to declare required env vars and to document explicitly that the tool may write your shell rc and local config files.Like a lobster shell, security has layers — review code before you run it.
latestvk97378y1krmtmm6gnqsgyt5czx83tqzp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.