ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Powered Content Repurposing

v1.0.0

Transform blog posts, articles, and long-form content into multiple formats—videos, podcasts, social media posts, and summaries. Use when the user needs cont...

0· 43·0 current·0 all-time
by@ncreighton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description and capabilities list many integrations (WordPress auto-fetch, Google Drive import, Slack publish, HubSpot/Buffer sync, publish to social platforms). However, the declared requirements include only OPENAI_API_KEY and ANTHROPIC_API_KEY and no credentials or config paths for those third-party services. Either the skill expects the user to paste content/URLs manually (in which case the integration claims are overstated) or it will attempt automated access without declaring how credentials are provided — a clear mismatch.
!
Instruction Scope
SKILL.md is instruction-only and provides example prompts and workflows (batch imports, auto-fetch from WordPress, syncing outputs). The instructions are high-level and open-ended: they do not specify safe defaults, how to obtain or store external service credentials, or whether content (including potentially sensitive text) will be sent to external LLM endpoints. The lack of concrete, scoped runtime steps grants broad discretion and leaves ambiguity about data flows.
Install Mechanism
There is no install spec and no code files — this is instruction-only. That minimizes on-disk code risk (nothing is downloaded or executed by an installer).
Credentials
Requesting OPENAI_API_KEY and ANTHROPIC_API_KEY is plausible for a multi-model repurposing skill (fallback/choice of model). However, both are high-value credentials and the skill does not explain why it needs keys from two different providers. More importantly, integrations described would normally require additional credentials (OAuth tokens, API keys) which are not declared — either those are expected to be provided interactively (not documented) or the skill's integration claims are misleading.
Persistence & Privilege
always is false and there is no install script or persistent agent modification declared. The skill does not request persistent system privileges or automatic forcing into every agent run.
What to consider before installing
This skill promises many automated integrations but only asks for OpenAI/Anthropic API keys — ask the publisher how it connects to WordPress, Google Drive, Slack, HubSpot, Buffer, and social platforms (OAuth? user-pasted credentials? undocumented flows?). Before installing: 1) Confirm which credentials you must supply and how they're stored; prefer OAuth flows and scoped tokens over long-lived full-access keys. 2) Assume any content you send to the skill may be forwarded to OpenAI/Anthropic — do not use sensitive or private data until you verify the data handling policy. 3) If you need the advertised automated imports/syncs, request documentation showing the exact runtime steps and what credentials are required. 4) Consider testing with non-sensitive sample content first, and prefer minimal-scope API keys (rate-limited/test keys) where possible. If the repo/homepage includes executable code, review it for network calls or hidden endpoints before giving high‑privilege credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxmdbg488t9z86mjp7ak6fh83mrnt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

♻️ Clawdis
OSmacOS · Linux · Windows
EnvOPENAI_API_KEY, ANTHROPIC_API_KEY

Comments