ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Business Tools Pack

7 automation skills for digital product businesses: analytics tracking, autonomous trading signal optimization, customer research, email automation, Gumroad...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 64 · 0 current installs · 0 all-time installs
byRunByDaVinci@clawdiri-ai
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The pack claims 7 sub-skills including autonomous trading, web scraping for customer research, and email automation (ConvertKit/Mailchimp). However the registry metadata lists no required env vars, no primary credential, and no required binaries. The README itself says some skills require API keys and Python 3.8+. That mismatch (capabilities that normally need credentials and runtime tooling vs. nothing declared) is an incoherence.
!
Instruction Scope
SKILL.md is instruction-only and tells the agent to run 'clawhub install' for each included skill, but provides no runtime constraints, no explicit handling of credentials, and no safety limits for potentially dangerous functionality (autonomous trading loops, scraping forums, sending emails). The instructions grant broad discretion to install and then run sub-skills without specifying what data they may read, where they post results, or whether they will act on external accounts.
Install Mechanism
This is an instruction-only pack with no install spec and no code files in the bundle itself, which reduces direct disk/write risk. However the quick-start explicitly instructs installing seven other skills via 'clawhub install' — those sub-skills are not present for review here and may include install scripts, downloads, or third-party packages. The lack of included install specs defers risk rather than eliminating it.
!
Credentials
Metadata declares zero required env vars, yet README and the pack contents imply needs for API keys (ConvertKit/Mailchimp), possibly trading API keys, and Python for AutoSignals. Required secrets are not declared in the skill manifest, so a user cannot assess what credentials would be requested or stored by the sub-skills before installing them.
!
Persistence & Privilege
always:false and normal model invocation are used (so autonomous invocation is possible). Combined with inclusion of an autonomous trading loop and automated email/scraping skills, that raises risk: sub-skills could run autonomously and perform network I/O or actions on external accounts. The pack provides no guidance on limiting autonomy, sandboxing, or safety checks.
What to consider before installing
This bundle groups multiple potentially sensitive features (autonomous trading, forum scraping, and automated email sending) but does not declare their required credentials, runtime dependencies, or safety controls. Before installing or enabling this pack: 1) Request the full manifests and SKILL.md for each included sub-skill so you can see declared env vars, install steps, and runtime instructions. 2) Do not provide API keys (ConvertKit, Mailchimp, trading exchanges) until you can review how they are stored and used; prefer scoped/test credentials. 3) For AutoSignals, insist on a full code review and a way to run it in a sandboxed/test environment — autonomous trading should not be run against live accounts without safeguards. 4) Confirm scraping scope and legal/privacy implications for the customer-research sub-skill. 5) If you proceed, run installations in an isolated environment, limit autonomous invocation, and monitor network/activity logs. Given the manifest omissions and potentially high-impact actions, treat this pack as untrusted until you can inspect the referenced sub-skills.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97d21rh8xf6dkx438e9xm85ph83ed0c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Business Tools Pack

7 automation skills for solo founders and digital product businesses.

Included Skills

  1. Analytics & Tracking — UTM links, pixels, attribution setup
  2. AutoSignals — Autonomous trading signal optimization loop
  3. Customer Research — Social listening and pre-launch validation
  4. Email Automation — ConvertKit/Mailchimp sequence deployment
  5. Gumroad Page Generator — High-converting sales page copy from specs
  6. Testimonial Collector — Automated day-3/7/14 review collection
  7. First Principles Analyzer — Deep assumption-stripping analysis

Quick Start

clawhub install analytics-tracking-dv
clawhub install autosignals-davinci
clawhub install customer-research-dv
clawhub install email-automation-dv
clawhub install gumroad-page-gen-dv
clawhub install testimonial-collector-dv
clawhub install first-principles-dv

License

MIT

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…