ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Content Publisher

v1.0.0

Publish content to Medium, Dev.to, and Hashnode from markdown files. Handles formatting, SEO optimization, scheduling, and cross-posting with canonical URLs....

0· 62·0 current·0 all-time
by@qoohsuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the SKILL.md (publishing and cross-posting). The operations described (Medium via browser, Dev.to and Hashnode via API) are plausible and aligned with the purpose. However, the skill references service credentials (DEVTO_API_KEY, HASHNODE_TOKEN) and Google login for Medium while the registry metadata declares no required env vars or primary credential—this mismatch is unexpected.
!
Instruction Scope
SKILL.md explicitly instructs the agent to: (a) perform browser automation on Medium using Google login, and (b) call Dev.to and Hashnode APIs using environment variables. The instructions reference credentials and publication IDs but do not explain how those credentials are obtained, stored, or scoped. Asking to use 'Google login' for browser automation without specifying OAuth or how credentials are handled raises a risk of mishandling account credentials or encouraging insecure practices. The instructions also assume certain env vars exist even though none are declared in the manifest.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That reduces risk from supply-chain downloads.
!
Credentials
The SKILL.md requires DEVTO_API_KEY and HASHNODE_TOKEN for API calls, and implies use of Google login for Medium, but the registry metadata lists no required environment variables or primary credential. Requiring API keys for the target platforms is reasonable for the functionality, but the omission from declared requirements is an incoherence that could lead to accidental credential exposure or confusion about where to put tokens. There is also no guidance about least privilege, token scopes, or how to avoid sharing full Google credentials.
Persistence & Privilege
always is false and there is no install or code that would persist or modify agent/system configuration. Autonomous invocation is allowed (the platform default), but there is no evidence the skill requests elevated or persistent privileges.
What to consider before installing
This skill largely does what it says (publish markdown to Medium/Dev.to/Hashnode), but there are important gaps you should address before using it: - The SKILL.md expects DEVTO_API_KEY and HASHNODE_TOKEN but the skill metadata does not declare them—ask the author to declare required env vars and the 'primary credential'. - Medium publishing is described as 'browser automation' using Google login. Do NOT supply your Google password directly to third-party tools; prefer OAuth-based flows or a separate account. Clarify how browser automation will access your account and whether it will reuse your browser profile. - Confirm how publicationId (Hashnode) and other placeholders are obtained and where to store them securely (e.g., environment variables or secret manager). - Ensure tokens you provide use least privilege and are revocable; avoid sharing long-lived master credentials. - Because the skill is instruction-only and source/homepage are unknown, consider testing with a throwaway account and non-sensitive content first. If the author can (1) update the manifest to declare required env vars, (2) document how Google/Medium auth is performed (OAuth vs. entering credentials), and (3) provide guidance on token scopes and storage, the inconsistencies would be resolved and the skill would be much safer to install.

Like a lobster shell, security has layers — review code before you run it.

automationvk971djzzz4mmgwajhmzbzswt6n83nfs6blogvk971djzzz4mmgwajhmzbzswt6n83nfs6contentvk971djzzz4mmgwajhmzbzswt6n83nfs6latestvk971djzzz4mmgwajhmzbzswt6n83nfs6mediumvk971djzzz4mmgwajhmzbzswt6n83nfs6publishingvk971djzzz4mmgwajhmzbzswt6n83nfs6seovk971djzzz4mmgwajhmzbzswt6n83nfs6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments