ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Complianceradar Ai Monitor

v1.0.0

Monitor regulatory changes across SEC, FDA, FINRA, and GDPR with AI impact assessment. Use when the user needs compliance tracking, policy updates, audit tra...

0· 96·0 current·0 all-time
by@ncreighton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requiring SEC/FDA API keys, a Slack webhook, and an OpenAI key aligns with a monitoring + AI-assessment tool. However the SKILL.md advertises many additional integrations (FINRA, GitHub, Notion, Zapier, email, Google Sheets) while only a subset of credentials are declared; FINRA credentials are not listed and some integrations appear only in prose. This mismatch could be poor documentation or indicate unclear scope.
!
Instruction Scope
The instruction-only skill tells the agent to monitor public regulatory APIs and use GPT-4 for impact analysis and to notify Slack. It also says it will assess changes against "your organization's... policies" — but the document does not clearly prescribe how the agent will obtain those internal policies (connect to GitHub/Notion, request uploads, or read local files). That ambiguity means the agent could be instructed (or improvise) to access or ask for sensitive internal documents without clear boundaries.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. That minimizes on-disk code risk. It does require curl and jq to be available at runtime, which is reasonable for an instruction-based skill that performs HTTP calls and JSON parsing.
!
Credentials
Required env vars (SEC_API_KEY, FDA_API_KEY, GDPR_MONITOR_TOKEN, SLACK_WEBHOOK_URL, OPENAI_API_KEY) are service-specific and plausible. Concerns: (1) GDPR_MONITOR_TOKEN is vague — the skill references a 'monitoring service' but doesn't identify which vendor or required scope; (2) other integrations (GitHub, Notion, Google Sheets) are mentioned but credential requirements are inconsistent (Google Sheets creds appear only in SKILL.md as optional variables and are not in the required list). The OpenAI key gives the skill external LLM access to any data it processes — users should assume data sent to OpenAI will leave their environment.
Persistence & Privilege
always is false and there's no install script or claims to change system-wide configs or other skills. The skill can be invoked autonomously (normal), but it does not request permanent agent-wide privileges in the metadata.
What to consider before installing
Do not hand over production credentials or sensitive documents until you confirm exactly how the skill obtains and handles your data. Specific steps to consider before installing: 1) Ask the author which GDPR_MONITOR service is expected and what permissions the token requires. 2) Use least-privilege, dedicated API keys: a scoped SEC/FDA key (if available), a Slack webhook limited to a single channel, a separate OpenAI key with usage/billing limits or an organization policy that prevents data leakage. 3) Clarify how the agent will access your internal policies (manual upload only, GitHub/Notion integration, or local file access). Prefer manual uploads of redacted example documents for initial testing. 4) Test in an isolated environment with non-sensitive data and review outbound traffic (which endpoints are contacted). 5) If you need automatic connections to GitHub/Notion/Google Sheets, require explicit, documented env vars and least-privilege tokens for each service. 6) If you cannot verify the source or the GDPR_MONITOR provider, treat this skill as untrusted and avoid providing sensitive credentials. If you want higher assurance, request the full runtime workflow from the author or an auditable implementation rather than an instruction-only SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk97efmyrwc4m27zjajxbc134es833pz6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
OSmacOS · Linux · Windows
Binscurl, jq
EnvSEC_API_KEY, FDA_API_KEY, GDPR_MONITOR_TOKEN, SLACK_WEBHOOK_URL, OPENAI_API_KEY

Comments