ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

alternatives-page-generator

v1.2.1

When the user wants to create, optimize, or audit alternatives or comparison content (page or blog article). Also use when the user mentions "alternatives pa...

0· 88·0 current·0 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and SKILL.md consistently focus on creating SEO/PPC-focused 'alternatives' and comparison pages. The guidance (structure, SEO, conversion) aligns with that purpose and does not request unrelated capabilities.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to 'Check for project context first: If .claude/project-context.md or .cursor/project-context.md exists, read it for product, competitors, and differentiators.' Those paths are not declared in requires.config or elsewhere; instructing the agent to read arbitrary workspace files is scope expansion and could expose sensitive project data or secrets. The rest of the instructions (tables, CTAs, migration suggestions, bidding on competitor keywords) are within the stated goal but sometimes encourage paid-ad tactics that may require separate policy review.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal disk footprint and no downloads. This is low risk from an install/execution perspective.
Credentials
The skill declares no environment variables or credentials, which is appropriate for a content-generation helper. However, because it instructs reading workspace files (undeclared), there is a potential for accessing project-specific secrets stored in those files even though no credentials are requested.
Persistence & Privilege
always is false and there is no attempt to modify other skills or system-wide settings. The skill may be invoked autonomously (platform default), which is normal — but if combined with file-reading behavior it increases potential for unintended data access.
What to consider before installing
This skill appears to do what it says (produce SEO/PPC alternatives and comparison content) and has no install or credential requests, but it tells the agent to read local project-context files (.claude/project-context.md, .cursor/project-context.md) that were not declared. Before installing or invoking the skill: (1) Inspect those project-context files and remove any secrets or sensitive data, or run the skill in an isolated workspace that contains only safe sample data. (2) Confirm you are comfortable with the skill using workspace files for context. (3) Be aware it recommends competitor-brand paid-ad tactics—ensure that aligns with your legal/policy constraints. (4) Because the skill can run without installing anything, the primary risk is accidental disclosure from workspace files rather than code execution; limit file access accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777cnavp6edgwbs7h4hqmjys83yf4x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments