Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Automation Content Creator
v1.0.0Automatically scrape top viral posts, analyze hooks, generate original scripts and captions, schedule posts across platforms, and optimize content performanc...
⭐ 0· 12·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose is an automated pipeline for scraping, generating, and auto-publishing social media content, and the SKILL.md contains code and commands to do exactly that. However, the registry metadata declares no required environment variables or credentials, while the instructions explicitly require APIFY_TOKEN and CLAUDE_API_KEY and implicitly need publishing service credentials (Buffer/Later/Hootsuite or social-platform API tokens). This mismatch (declares no secrets but needs them) is disproportionate and unexplained.
Instruction Scope
SKILL.md instructs frequent scraping across TikTok, Instagram, YouTube, Reddit, and Twitter/X via Apify actors, then sending content to an LLM (Anthropic/OpenClaw) and auto-scheduling posts. The actions are within the described purpose, but the instructions are broad and operationally vague about required posting credentials, rate limits, privacy/terms-of-service compliance, and where analytics/collected data are stored or reported. It also promises 'run completely autonomously' with minimal human input, which increases operational risk if misconfigured.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code, so nothing will be written or downloaded by the registry itself. The SKILL.md suggests running npm install locally (apify-client, axios, node-cron, dotenv), which is a normal developer step. No remote archives or third-party installers are embedded in the registry metadata.
Credentials
The skill's runtime instructions explicitly require APIFY_TOKEN and CLAUDE_API_KEY (and in practice will need posting/service credentials for Buffer/Later/Hootsuite or direct social APIs), yet the registry metadata lists no required env vars or primary credential. That omission is a clear inconsistency: the skill expects secret credentials but does not declare them, and it also doesn't justify why multiple tokens (scraping + LLM + publishing) are needed.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. It does describe autonomous operation once configured, which is consistent with its purpose. There is no evidence in the metadata or SKILL.md that the skill will modify other skills or system-wide settings.
What to consider before installing
This skill is coherent functionally but the registry metadata is incomplete and omits key credentials and operational details. Before using/installing: 1) Expect to provide at least an Apify token (APIFY_TOKEN) and an Anthropic/OpenClaw key (CLAUDE_API_KEY), and also credentials or API tokens for whatever scheduler/publisher you use (Buffer, Later, Hootsuite, or direct social APIs). 2) Verify you are allowed to scrape the target platforms and that your usage complies with their terms; large-scale scraping can lead to account bans or legal risk. 3) Be cautious storing API keys in environment variables—use a secrets manager if possible and avoid committing them to code. 4) Review billing implications: Apify actors and LLM usage can incur costs. 5) If you intend to auto-publish, ensure you have appropriate account-level permissions and consent for any content you post (especially repurposed or copyrighted material). 6) Run the code in an isolated/dev environment first, enable logging/ratelimiting, and require human review before fully autonomous publishing. The metadata omission of required credentials is a red flag — ask the publisher to update the registry manifest to list the environment variables and any external tokens the skill needs before trusting it.Like a lobster shell, security has layers — review code before you run it.
latestvk979kpvj36bpkwg3x9q5gz9d5s84by84
License
MIT-0
Free to use, modify, and redistribute. No attribution required.