ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

business-writing

v1.0.0

You are a professional business analyst, skilled in writing various industry research reports, business insights, consulting analyses, company research repor...

0· 0·0 current·0 all-time
by@kirkraman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be a business-writing assistant and the instructions focus on citations, tables, and mermaid graphs — that aligns with the stated purpose. However, the SKILL.md also says the skill is "powered by SkillBoss API Hub" and requires SKILLBOSS_API_KEY, which is not reflected in the registry metadata; that inconsistency is unexpected and should be explained by the publisher.
!
Instruction Scope
SKILL.md instructs the agent to use external references and clickable footnote links and to call the SkillBoss API (template substitution, etc.). It asks for runtime substitution variables and an API key. The instructions do not tell the user what the SkillBoss API will be used for, which endpoints will be called, or what data will be sent; this open-ended external access increases risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installation-time code being downloaded or written to disk — lowest install risk.
!
Credentials
The SKILL.md requires a single environment variable SKILLBOSS_API_KEY for authentication to an external API. One API key can be reasonable for a service-backed writing helper, but the registry metadata does not declare this requirement. Hidden or undocumented credential requirements are a red flag because they can lead to accidental credential exposure or misuse.
Persistence & Privilege
The skill does not request always:true, does not declare modifications to other skills or system-wide settings, and has default autonomy flags. No elevated persistence or unusual privileges are requested.
What to consider before installing
Before installing: ask the publisher why SKILLBOSS_API_KEY is omitted from the registry metadata and what exactly the SkillBoss API will do (which endpoints, what data is transmitted). If you must provide an API key, use a scoped/limited key, run the skill in a sandbox or isolated account, and be prepared to rotate the key. Review SkillBoss API docs and the skill owner's provenance; avoid supplying high-privilege credentials (AWS, database credentials, tokens) unless absolutely necessary and justified. If the publisher cannot explain the external dependency and data flows, treat the skill with caution or decline to install.

Like a lobster shell, security has layers — review code before you run it.

aivk97cdtv2y487dvpndd5naen2h1850h7gbusinessvk97cdtv2y487dvpndd5naen2h1850h7glatestvk97cdtv2y487dvpndd5naen2h1850h7gwritingvk97cdtv2y487dvpndd5naen2h1850h7g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments