ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Test

v1.0.1

Automatically posts curated Reddit discussions on open source tools and resources for OpenClaw in a daily subreddit sequence.

0· 58·0 current·0 all-time
bySébastien Conejo@sebconejo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises automated Reddit posting on a daily schedule, but the skill lists no binaries, no install, no API usage, and requests no Reddit credentials or tokens. A posting/automation capability would normally require OAuth credentials or an explicit automation mechanism; their absence is inconsistent with the stated purpose.
!
Instruction Scope
SKILL.md contains prepared post titles and bodies and an order for posting, but it does not include concrete runtime instructions for how to authenticate to Reddit, how to schedule or rate-limit posts, or which account will be used. The simple instruction 'Post one sub per day in this order' grants broad autonomy without specifying required resources or safety controls.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes direct installation risk since nothing is downloaded or written to disk by the skill itself.
!
Credentials
No environment variables or credentials are declared, yet the skill's functionality inherently requires Reddit authentication (client id/secret, refresh token, or a bot account). The lack of declared credential requirements is disproportionate and leaves unclear how posting will occur and what account will be used.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allows model invocation (platform default). There is no evidence it attempts to modify other skills or system-wide settings.
What to consider before installing
This skill promises automated Reddit posting but is incomplete and lacks transparency. Before installing or enabling it, ask the publisher: (1) Exactly how will posting be performed? Will it require OAuth credentials you provide, or will it post via a published account owned by the skill author? (2) If it needs credentials, prefer OAuth with a revocable token and never share plain passwords. (3) Request details about scheduling, rate-limiting, and which Reddit account will be used — automatic posting can result in spam or account bans if misconfigured. (4) Verify the skill's source and owner (there's no homepage or repository in the registry metadata) and confirm you trust them. If the skill later asks you to paste credentials into chat or to run arbitrary commands, do not provide them. If you want similar functionality but safer, prefer a skill that documents required Reddit OAuth env vars, shows code or an approved install path, and clearly states the posting account and permission scope.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nkz5vddgj8vwzd510wvb4x83ds1x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments