Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Newsletter Machine
v1.0.0Automates your niche newsletter by researching viral content, writing editions, identifying growth and monetization tactics, and creating promotional video t...
⭐ 0· 8·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a workflow that depends on Apify (scrapers), InVideo AI (video generation), and Claude AI (writing). The sample input block explicitly includes apify_token and invideo_api_key, yet the registry metadata lists no required env vars or primary credential. That mismatch suggests the declared requirements do not align with what the skill actually needs to run.
Instruction Scope
Instructions direct automated scraping of Google News, Reddit, Twitter/X, LinkedIn, and newsletters via Apify and producing content via external services. The runtime doc expects API tokens in inputs and to contact third-party endpoints — it does not instruct reading local files or unrelated environment variables, but it does require network requests and scraping that may implicate TOS/robots.txt and possible private-account access (LinkedIn/X) depending on implementation. The SKILL.md does not state how scraped data or credentials are stored or transmitted.
Install Mechanism
No install spec and no code files — this is an instruction-only skill, so nothing will be written to disk by an installer. That minimizes install-time risk.
Credentials
The skill implicitly requires multiple service credentials (Apify token, InVideo API key, and an LLM API key for Claude) but the registry lists none. Requiring multiple external service keys is proportionate to the described functionality, but failing to declare them in the metadata is a transparency problem and increases the risk that secrets will be requested unexpectedly at runtime.
Persistence & Privilege
always is false and the skill does not request any special system persistence or modify other skills. It can be autonomously invoked by the agent (default), which is normal; this combined with the external-API behavior increases blast radius but is not itself an escalation in the manifest.
What to consider before installing
This skill will call external scraping and content-generation services and the SKILL.md expects API tokens (e.g., apify_token, invideo_api_key, and a Claude/LLM key) even though the registry metadata declares none. Before installing or supplying secrets: (1) confirm which exact credentials are required and how/where they will be stored; (2) verify the skill's privacy/data-handling policy and whether scraped data or generated content is sent to third-party accounts; (3) consider compliance with site TOS and robots.txt for scraping LinkedIn/Twitter; (4) avoid pasting long-lived keys until you trust the skill — prefer scoped API keys and rotate them if used; (5) ask the publisher to update the registry metadata to list required env vars (APIFY_TOKEN, INVIDEO_API_KEY, CLAUDE_API_KEY or similar) and to document how credentials are used. If you cannot get those clarifications, treat the skill as higher risk and do not provide sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk975xasfx5wed121jj73g2j8dd84kq4f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.