ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

brand-monitoring

v1.0.1

When the user wants to monitor brand mentions, detect trademark infringement, or set up brand monitoring. Also use when the user mentions "brand monitoring,"...

0· 11·0 current·0 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and instructions all align: the skill gives monitoring strategies, channels, cadence, and vendor guidance for brand monitoring. The content and recommended outputs are proportionate to a brand-monitoring advisory role.
!
Instruction Scope
The SKILL.md explicitly tells the agent to check for and read .claude/project-context.md and .cursor/project-context.md to extract brand name, domain, and assets. Those config paths were not declared in the skill metadata (required config paths: none). Reading workspace project-context files is scope creep relative to the declared surface because it accesses local files without declaring that access.
Install Mechanism
This is an instruction-only skill with no install spec and no code files—lowest-risk installation behavior (nothing written to disk by an installer).
Credentials
The skill requires no environment variables or credentials, which is appropriate for an advisory/monitoring strategy guide. Note: it references escalation to a related 'brand-protection' skill (reactive/takedown) which may later require credentials or access—those are not requested here.
Persistence & Privilege
The skill does not request always:true, does not install components, and does not claim to modify other skills or system settings. It can be invoked autonomously (platform default) but has no elevated persistence or privileges declared.
What to consider before installing
This skill appears to be a straightforward brand-monitoring playbook and does not request secrets or install code, but it will try to read local project-context files (.claude/project-context.md or .cursor/project-context.md) if present. Before installing or invoking: (1) ensure those project-context files do not contain secrets or sensitive credentials you don't want the skill to read; (2) if you don't want the skill to read workspace files, remove or redact those files or avoid using the skill; (3) be aware that escalation to a separate 'brand-protection' skill may require platform credentials or integrations—review that skill before allowing takedown/enforcement actions; (4) if you need stricter guarantees, ask the skill author to declare required config paths explicitly or to remove automatic local-file access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b3cgavsc2xf9sdnj5axrry184dtjt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments