ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Iran Briefing

v1.4.0

Real-time geopolitical intelligence — Iran crisis briefing, Trump Truth Social feed, prediction markets, 800+ tracked entities.

1· 353·0 current·0 all-time
by@dachein
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the instructions: the skill is an instruction-only adapter that queries a third-party API (skill.capduck.com) for Iran- and Trump-related briefings, feeds, and prediction-market data. However, there is no homepage or publisher information and the included _meta.json version (1.2.0) differs from the registry metadata version (1.4.0), which is an inconsistency in provenance/versioning that deserves attention.
!
Instruction Scope
SKILL.md instructs the agent to call various HTTPS endpoints on skill.capduck.com (briefings, posts, events, polymarket, entities). It does not instruct reading local files or env vars, but every invocation will cause conversational context and queries to be transmitted to that external service. The instructions also direct the agent to consult predictive markets and social feeds—these are expected for the purpose but increase risk of exposing sensitive query context. There are no instructions to authenticate, rate-limit, or sanitize data before sending.
Install Mechanism
No install spec and no code files — instruction-only skill — so nothing is written to disk by the skill itself. This minimizes filesystem risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate to an instruction-only API adapter. The primary remaining concern is network exfiltration of conversation/context to an external domain when used.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated or persistent platform privileges. Autonomous invocation is permitted by platform defaults but not explicitly elevated by the skill.
What to consider before installing
Before installing: 1) Verify the publisher and find a homepage or source repository — this skill has no listed homepage and metadata versioning is inconsistent. 2) Understand that any prompt/context you send to this skill will be transmitted to https://skill.capduck.com — do not send PII, credentials, or sensitive internal info. 3) If you need to evaluate accuracy, test with non-sensitive queries and compare results to known primary sources. 4) Ask the publisher for a privacy/TOS statement and for details about data retention and authentication. 5) If you cannot verify the operator, consider not enabling autonomous invocation for this skill (or restrict it to manual use only).

Like a lobster shell, security has layers — review code before you run it.

latestvk978qt1t3af9g67qw4g6fg6bmd84e8b5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🇮🇷 Clawdis

Comments