ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Client Reporting Automation

v1.0.0

Automated client reporting for agencies and freelancers using OpenClaw. Pull data from Google Analytics, Google Search Console, social media platforms, and c...

0· 546·0 current·0 all-time
byTyler Hill@reighlan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (agency/freelancer client reporting) matches the code and instructions: scripts pull GA4/GSC/social placeholders, render templates with Jinja2, and deliver via SendGrid or Slack. Required tools (requests, jinja2, optional wkhtmltopdf) are appropriate for the stated functions.
Instruction Scope
SKILL.md and the bundled scripts give concrete commands and reference where credentials live (global config.json or env). The SKILL.md references using service account keys and SendGrid; scripts read global config.json and allow env fallbacks (e.g., SENDGRID_API_KEY, SLACK_WEBHOOK_URL, CLIENT_REPORTS_DIR). One minor mismatch: SKILL.md refers to 'social-media-autopilot' for social credentials (external skill convention) which may be confusing but not malicious.
Install Mechanism
No install spec; this is instruction-only plus shipped scripts. The runtime dependencies are Python packages installed via pip (requests, jinja2) — expected and low risk. There are no remote download-or-extract steps or third-party binary fetches in the repository.
Credentials
The skill requires credentials appropriate to its purpose (GA4 service account, GSC key, social API keys, SendGrid API key). The registry metadata shows no required env vars, but the scripts do accept env fallbacks (SENDGRID_API_KEY, SLACK_WEBHOOK_URL, CLIENT_REPORTS_DIR). Be aware secrets can be stored in the workspace config.json or as file paths to service-account JSON; storing credential files in project folders can be risky if the workspace is shared or checked into VCS.
Persistence & Privilege
Skill is not marked always:true, does not modify other skills or system-wide settings, and has no install step that persists new daemons or services. It writes files only within its workspace (clients/, templates/, data/, reports/).
Assessment
This skill appears to do what it says, but review and control where your credentials live before installing: 1) Prefer pointing to an isolated service-account JSON on disk (ga4_credentials_file / search_console_credentials_file) rather than embedding secrets into config.json checked into source control. 2) Use a dedicated SendGrid API key with limited scopes and verify recipient addresses. 3) Slack delivery relies on webhooks — ensure webhook URLs are kept secret. 4) HTML templates reference client-provided logo URLs; external images in emails can leak metadata when recipients open them — consider inlining assets or hosting images on trusted storage. 5) Run the scripts in a controlled workspace (set CLIENT_REPORTS_DIR) and set restrictive file permissions on config/credential files. If you want higher assurance, request maintainer provenance (homepage/author) and a short security readme describing secret handling.

Like a lobster shell, security has layers — review code before you run it.

agencyvk97dssf8ehyvav2mzwan01dc9d81sgv1analyticsvk97dssf8ehyvav2mzwan01dc9d81sgv1clientsvk97dssf8ehyvav2mzwan01dc9d81sgv1latestvk97dssf8ehyvav2mzwan01dc9d81sgv1reportingvk97dssf8ehyvav2mzwan01dc9d81sgv1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments