ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Contractor Marketing Cowork Plugin

v1.0.0

Cowork Plugin: AI marketing department for contractors and home service businesses. 12 slash commands + 6 background skills for SEO, ads, social media, propo...

0· 79·0 current·0 all-time
by@blueprintstudioco

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for blueprintstudioco/contractor-marketing-cowork.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Contractor Marketing Cowork Plugin" (blueprintstudioco/contractor-marketing-cowork) from ClawHub.
Skill page: https://clawhub.ai/blueprintstudioco/contractor-marketing-cowork
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install contractor-marketing-cowork

ClawHub CLI

Package manager switcher

npx clawhub@latest install contractor-marketing-cowork
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (contractor marketing) align with the commands, background skills, and connectors. Browser automation for GBP, Ads, Mailchimp, Buffer, etc., is consistent with the listed features.
!
Instruction Scope
Runtime instructions direct the agent to read a saved business-profile.md and to automate browser flows for many account-based services (Google Business Profile, Meta Ads, Mailchimp, Buffer, etc.), which is coherent for this plugin. However, SKILL.md includes an explicit curl against a Supabase REST endpoint with an embedded API key (in clear text). That means the skill will query a third‑party server automatically when generating content — potentially sending user search queries and receiving strategy data — without any declaration in requires.env. The presence of a hard-coded key and an external project domain is unexpected and should be verified.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing will be written to disk by an installer. Low install risk from the platform perspective.
!
Credentials
The skill requests no environment variables or credentials (it relies on browser automation and user sessions), which is proportionate. But the embedded Supabase URL + apikey in SKILL.md is effectively an undeclared credential and an outbound dependency. That central hard-coded secret and external endpoint are disproportionate to what a user would expect to be embedded in plain text.
Persistence & Privilege
always:false (normal). The skill asks the agent to save and read a local business-profile.md, which is expected behavior for a profile-driven marketing plugin. There is no request to modify other skills or system settings.
What to consider before installing
What to consider before installing: - Embedded external API call: SKILL.md contains a curl to a Supabase project (dmlybcnpwtnaadmapdhl.supabase.co) with an apikey parameter in clear text. Ask the author what that key is (public/anon vs service role), who controls that Supabase project, and what data is sent there. If you rely on private business data, you should not have it sent to an unknown third party. - Browser automation: The skill relies on 'computer use' flows to open Google Business Profile, Meta Ads, Mailchimp, Buffer, etc. That will use whatever browser/session the agent runs with — ensure you are comfortable with the agent using your logged-in accounts and require explicit confirmation before posting or publishing. - Local profile file: The plugin saves business-profile.md and other outputs in the current directory. Do not include highly sensitive PII (social security numbers, payroll data, bank credentials) in that file. Store it in a location you control and review its contents. - Least privilege & confirmations: Where possible, use limited-access accounts for integrations and verify the plugin always asks for confirmation before taking irreversible actions (publishing, creating ad campaigns, posting reviews, sending emails). - Ask for changes: Prefer the API key be removed from SKILL.md and replaced with a documented, auditable integration pattern (your own API key, OAuth, or a server-side integration under your control). If the Supabase endpoint is required, ask the author to explain the data retention, access control, and whether the key is read-only. - Monitoring & rollback: After enabling, audit outgoing requests and scheduled tasks for a short trial period. If you see unexpected outbound traffic to unfamiliar endpoints, uninstall and rotate any exposed credentials. Why suspicious, not malicious: The skill's behavior matches its stated marketing purpose, but the hard-coded third‑party API key and automatic external queries are unexpected and could expose user queries or profile data — this is a legitimate risk that needs clarification before trusting the plugin.

Like a lobster shell, security has layers — review code before you run it.

latestvk972z27fjzyb614ta5vfrckda1847dz5
79downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@blueprintstudioco
latest
Download

Contractor Marketing — Cowork Plugin

AI marketing department for contractors and home service businesses. Built by a contractor, not an agency.

Commands

CommandWhat it does
/contractor-marketing:onboardSets up your business profile (run once)
/contractor-marketing:gbp-postGenerate + publish Google Business Profile posts
/contractor-marketing:review-responseRespond to customer reviews (batch supported)
/contractor-marketing:social-batchGenerate a week of social posts
/contractor-marketing:weekly-reportSEO + ads performance report
/contractor-marketing:ad-creativeFacebook, Instagram, and Google ad creatives
/contractor-marketing:content-calendarFull month of content + 4 blog post drafts
/contractor-marketing:competitor-auditMonthly competitor analysis
/contractor-marketing:proposalProfessional proposal from "Mike, 2 acres, $4,600"
/contractor-marketing:job-costJob profitability and margin tracking
/contractor-marketing:email-sequenceAutomated email sequences
/contractor-marketing:lead-followupLead follow-up templates with timing

Background Skills

Loaded automatically — Claude draws on these when relevant:

  • contractor-seo — local SEO, citations, keywords, service area pages
  • contractor-ads — Meta/Google campaigns, budgets, creative angles
  • contractor-social — content strategy, platform rules, review responses
  • contractor-email — sequences, lead follow-up, newsletters
  • contractor-operations — proposals, job costing, pricing, portfolios
  • contractor-positioning — UVP, messaging, competitive differentiation

Strategy Library

Connected to the Heavy Metric strategy library (74 proven strategies) via API:

curl -s "https://dmlybcnpwtnaadmapdhl.supabase.co/rest/v1/strategies?or=(title.ilike.*QUERY*,category.ilike.*QUERY*)&select=title,slug,content&apikey=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRtbHliY25wd3RuYWFkbWFwZGhsIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NDMxOTk4NzMsImV4cCI6MjA1ODc3NTg3M30.kVMGdVCPJMFwiVn-OWpMFIGJWJCYzaOGxFsZPJSq5s4" \
  -H "Content-Type: application/json"

Connectors

Direct integrations or browser automation for: Google Business Profile, Meta Ads, Google Ads, Buffer/Later, Mailchimp/MailerLite, Google Search Console, GA4, Yelp/BBB, Jobber/HouseCall Pro

Tone

Write like a contractor, not an agency.

Comments

Loading comments...