Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Creative
v1.0.0Use for creative agencies, design studios, and content teams — project management, client communication, creative briefs, review workflows, content calendars...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md content: templates, checklists, heartbeat checks and workflows for creative agencies. However, the 'heartbeat' and status-check items assume access to project management, calendar, budget, and review state data even though the skill declares no connectors, environment variables, or required binaries. That's plausible if the platform supplies those integrations, but it's a capability–requirement mismatch if the skill is expected to fetch live project data on its own.
Instruction Scope
The instructions ask the agent to 'check' deadlines, client feedback age, content calendar approvals, freelancer deliverables, and budget status. The SKILL.md does not specify where or how to find this data (which tools, files, or APIs), and uses open-ended guidance that would require the agent to search or access user data (PM systems, calendars, email, storage). That vagueness grants broad discretion and could lead the agent to access many unrelated data sources unless the platform explicitly constrains which connectors it may use.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and no external packages are fetched. This is the lowest-risk install profile.
Credentials
The skill requests no environment variables or credentials, which aligns with being an instruction-only template. At the same time, to perform its active checks in practice it will need access to project tools and possibly credentials; the absence of declared required creds is a transparency gap rather than a direct overreach.
Persistence & Privilege
always is false and the skill is user-invocable. The skill can be invoked autonomously per platform defaults, but it does not request permanent presence or attempt to modify other skills or system settings.
What to consider before installing
This skill is basically a detailed playbook and templates for running a creative agency — it doesn't include code or ask for credentials. However, its 'heartbeat' and status-check instructions implicitly require access to your calendars, project management tools, inbox, file storage, or budgeting data. Before installing or enabling it: (1) ask what data sources/connectors the agent will use and limit it to only the necessary ones; (2) avoid granting blanket access to email or all project data — prefer scoped API tokens or a single test project; (3) run it first in a sandbox or with redacted test data to observe what it attempts to access; and (4) if you want tighter behavior, request the skill be updated to declare which integrations it expects and to include explicit, narrow instructions for where to read status data.Like a lobster shell, security has layers — review code before you run it.
latestvk9729dk5kyngvzjqx3z00d9ygd84chdn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.