ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ab Testing Company Video

v1.0.0

Creates short demo and testimonial videos showcasing data integration, audience targeting, and marketing ROI for customer data platform decision-makers.

0· 10·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description says it will use marketing performance data and 'your data platform credentials' to create demo/testimonial videos, but the package declares no required credentials, no data paths, and no tooling. That mismatch suggests the skill either expects interactive requests for sensitive data or omits important operational details.
!
Instruction Scope
SKILL.md contains only a high-level marketing-oriented prompt and no concrete runtime steps, API endpoints, or safe handling instructions. It references using user data and credentials but does not specify how those are obtained, stored, processed, or where videos are produced/sent — leaving broad discretion and potential for unexpected data collection or transmission.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk-install risk, but also means there is no programmatic detail to audit.
!
Credentials
The description explicitly references 'data platform credentials' and marketing performance data but the skill declares zero required environment variables, credentials, or config paths. Requesting credentials at runtime without declaring them is disproportionate and should be clarified.
Persistence & Privilege
The skill does not request always:true and makes no claim to modify other skills or system-wide settings. It appears not to demand elevated or persistent platform privileges.
What to consider before installing
This skill is vague about how it will get and handle your marketing data and platform credentials. Before installing or using it, ask the publisher: (1) exactly what credentials or API keys it needs and why, (2) where data is sent or processed (local agent vs external service and which domain), (3) whether credentials are stored, for how long, and whether they are encrypted, (4) a privacy/security policy and sample runtime transcript showing how the skill prompts for data, (5) whether the skill supports read-only, scoped API keys (use those), and (6) a way to revoke access and rotate keys. Until you get clear, specific answers and a principle-of-least-privilege workflow (temporary or scoped keys, test with dummy data), treat the skill as potentially risky for sharing real customer data or admin-level credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk977v4y5gae64v2ky1cffe76pd84882q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments