ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Trends

v1.0.0

Fetch and aggregate OpenClaw-related content from across the internet. Use when the user asks about OpenClaw trends, news, tutorials, videos, community discu...

0· 211·0 current·0 all-time
byAndrey Mashukov@andremashukov

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for andremashukov/openclaw-trends.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw Trends" (andremashukov/openclaw-trends) from ClawHub.
Skill page: https://clawhub.ai/andremashukov/openclaw-trends
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-trends

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-trends
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (fetch OpenClaw trends) aligns with the included script's behavior (YouTube, GitHub, web scraping). However, the SKILL.md and script mention a YouTube Data API key (and the script contains a hardcoded default key) while the registry metadata declares no required environment variables/credentials — an inconsistency that should be explained.
!
Instruction Scope
The SKILL.md and script limit actions to web queries (YouTube API, DuckDuckGo HTML scraping, gh CLI). They do not read arbitrary local files. Concerns: (1) SKILL.md suggests scheduled cron usage (fine but makes automated periodic runs easier), and (2) the script hardcodes a Google API key and will make outbound requests that reveal usage to the key owner. The instructions also reference an integration ('OpenClaw message tool') that is not implemented, which is sloppy but not inherently malicious.
Install Mechanism
No install spec — instruction-only with an included Python script. This is low-risk from an install mechanism perspective because nothing is downloaded or executed automatically during installation.
!
Credentials
The script uses a YOUTUBE_API_KEY environment variable but falls back to a hardcoded API key in code. The registry declares no required env vars/credentials — this mismatch is disproportionate and risky because the embedded key will attribute all API requests to that key's owner and could leak query data to them. No other unnecessary credentials are requested.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills/config, and only suggests (optional) cron scheduling. No privileged persistence is requested by the skill itself.
What to consider before installing
This skill appears to do what it says (search YouTube, GitHub, DuckDuckGo), but there are two things to consider before installing: 1) The Python script contains a hardcoded YouTube API key. Even if you don't set an environment key, the script will use that embedded key — meaning requests will be sent under someone else's credentials (and that owner will see usage). Ask the author to remove the embedded key and require YOUTUBE_API_KEY in the skill metadata, or rotate/revoke the embedded key if it's yours. 2) The metadata doesn't declare the YOUTUBE_API_KEY requirement even though the code uses it. This mismatch is a red flag for sloppy or intentionally hidden behavior. Confirm with the publisher why credentials are embedded and request a version that requires the user to supply their own key. Other practical precautions: run the script in an isolated environment, review/replace the embedded key, and audit network egress if you schedule it via cron. If you don't trust the embedded key's owner, do not run the skill as-is.

Like a lobster shell, security has layers — review code before you run it.

latestvk976wp3ctp2pfsjnjb42jye8hn835tas
211downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
Andrey Mashukov@andremashukov
latest
Download

OpenClaw Trends

Fetch trending content about OpenClaw from multiple sources and deliver a summary.

Quick Start

python3 scripts/fetch_trends.py [--days 3] [--output json|text]

Workflow

  1. Fetch from sources:

    • YouTube - Videos (Data API v3)
    • GitHub - Repos, discussions, releases
    • X/Twitter - Posts (web search)
    • Reddit - Discussions (web search)
    • Hacker News - Tech discussions (web search)

  2. Filter by freshness: Default 2-3 days

  3. Deduplicate & rank: Remove duplicates, sort by date

  4. Output: Structured summary with links

Notes

  • YouTube uses Data API v3 (key embedded for convenience)
  • X/Twitter, Reddit, HN use DuckDuckGo web search (no API needed)
  • GitHub uses gh CLI (auto-detected)
  • For agent-triggered runs, the web_search tool provides richer results

Output Format

Returns a structured summary:

  • Source (YouTube, X, Blog, etc.)
  • Title
  • Description (truncated)
  • URL
  • Date

Scheduled Checks

For daily updates, add to cron:

# Daily OpenClaw trends at 9 AM
0 9 * * * cd ~/.openclaw/workspace/skills/openclaw-trends && python3 scripts/fetch_trends.py --days 3 --notify

Notes

  • YouTube uses Data API v3 (requires key)
  • X/Twitter uses web search (no API needed)
  • GitHub uses gh CLI or REST API
  • All other sources use web search

Comments

Loading comments...