ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

testimonials-generator

v1.0.1

When the user wants to add, optimize, or design customer testimonials, reviews, or case study sections. Also use when the user mentions "testimonials," "revi...

0· 123·0 current·0 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and instructions align with a testimonials/UX design helper: it provides content, placement, design, and SEO guidance and references related layout skills. It does not request unrelated binaries or credentials.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to check for and read .claude/project-context.md or .cursor/project-context.md for customer personas and industry context. Those file reads are not declared in the skill metadata and give the agent access to arbitrary project content; this is scope creep relative to an otherwise simple design/content helper and could expose sensitive project data if present.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing is written to disk by an installer).
Credentials
The skill requests no environment variables, credentials, or binaries. However, it nevertheless directs reading of local 'project-context' files (config paths) in its instructions while declaring none in the metadata; that mismatch should be clarified.
Persistence & Privilege
always is false and the skill does not request long-term presence or permissions to modify agent/system configuration. It appears not to persist or escalate privileges.
What to consider before installing
This skill mostly does what it says (testimonial content and design guidance), but the instructions tell the agent to read local project-context files (.claude/project-context.md or .cursor/project-context.md) even though the skill metadata doesn't declare any config paths. Before installing or enabling autonomous invocation, decide whether you are comfortable with the agent accessing those files: inspect them for secrets or sensitive data, or ask the skill author to remove or explicitly declare that step. If you want to be cautious, run the skill manually or in a sandboxed workspace with non-sensitive project context first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fpyx6e51tq4cvqpzb9e4s1x83vaxa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments