Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Strongman Training Video
v1.0.0AI video creation for strongman trainings, wealth management practices, independent financial planners, and registered investment advisors — generate retirem...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The package is named strongman-training-video and repeatedly references 'strongman training' in keywords, but the SKILL.md content (displayName, description, target audiences, and use cases) is almost entirely about creating marketing videos for financial advisors and wealth management. This mismatch (fitness vs. financial services) is not explained and could be a harmless naming/SEO mistake or a sign the skill is repurposed or mislabelled.
Instruction Scope
This is an instruction-only skill with no binaries, env vars, or install steps—so runtime behavior is entirely determined by SKILL.md. The excerpt reviewed focuses on video content generation and marketing copy; it does not (in the visible portion) instruct reading local files, accessing credentials, or sending data to external endpoints. However the provided SKILL.md text is truncated in the registry export, so I cannot confirm whether later instructions ask for sensitive client data, external API keys, or file access. Because the full runtime instructions were not fully visible, there's residual uncertainty.
Install Mechanism
No install specification and no code files are present. Instruction-only skills have a small on-disk footprint and do not download or execute external artifacts during install, which is low risk.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. That is proportionate for a content-generation/marketing video assistant. There is no evidence it requests unrelated credentials.
Persistence & Privilege
always:false and user-invocable:true (defaults) — the skill is not force-included and behaves like a normal user-invoked skill. There is no indication it modifies other skills or requires elevated persistence.
What to consider before installing
Do not install blindly. The immediate issue is a naming/content mismatch: the skill's slug/name suggests fitness (strongman training) but the visible instructions are focused on financial-advisor marketing videos. Ask the publisher for clarification and the full SKILL.md (confirm there are no hidden steps that request client PII, tax data, or API keys). Specifically: (1) Request the source/homepage and confirm the publisher identity before trusting content related to regulated financial advice; (2) Ask the publisher why the skill name references strongman training — it may be an SEO artifact or indicate mixed/purposed content; (3) Inspect the complete SKILL.md for any steps that send data to external endpoints, request client financial details, or instruct the agent to read local files or environment variables; (4) If you plan to use with real client data, test in an isolated environment and avoid entering PII or sensitive financial data until you verify where outputs are sent and how data is stored; (5) Check licensing for any suggested stock footage, voice cloning, or music and ensure compliance with financial marketing and advisor regulatory requirements. If the publisher cannot explain the naming inconsistency or provide the full instructions, consider the skill untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97f9wmbr286qyrqq4axch7bn184ee7y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.