ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

User Interview

v1.0.2

Run real user interviews via Usercall. Use when you need qualitative feedback from real users — onboarding drop-off, feature confusion, pricing clarity, prot...

0· 193·0 current·0 all-time
by@junetic
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly targets Usercall and only needs a Usercall API key to create studies and fetch results, which is coherent with the stated purpose. However, the registry metadata listed under this bundle claims no required env vars while the instructions require USERCALL_API_KEY — an inconsistency between what the skill 'claims' and what it 'needs'.
!
Instruction Scope
Runtime instructions limit network calls to app.usercall.co and provide specific curl examples (expected). However, the instructions instruct the agent to run `echo "$USERCALL_API_KEY"` which will print the secret to the terminal/logs and can leak it in transcripts or logs. The SKILL.md also uses $ARGUMENTS (platform-provided) and tells the agent to accept media URLs — these are reasonable, but the explicit echo of the API key is an unnecessary and risky step.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. All network calls are to the documented app.usercall.co API.
!
Credentials
Requesting a single USERCALL_API_KEY is proportionate to the described functionality. But the manifest metadata omission (it didn't declare the required env var) and the instruction to echo the key increases the chance of accidental credential exposure. Consider whether a scoped/revocable key can be used and whether the skill could avoid printing the secret.
Persistence & Privilege
The skill does not request permanent/always-on presence and uses normal, user-invocable defaults. It does not modify other skills or request elevated platform privileges.
What to consider before installing
This skill appears to do what it says (create and manage Usercall studies) but be cautious before installing or running it: - The SKILL.md requires USERCALL_API_KEY, yet the package metadata does not declare that — treat this as a packaging inconsistency and verify before trusting the skill. - The instructions explicitly echo your API key (echo "$USERCALL_API_KEY"). That prints your secret into the terminal/agent logs and can leak it. Do not run steps that print secrets; instead set the env var without echoing it. - Only provide a Usercall key you control; prefer a limited-scope or revocable key and rotate it after testing. Avoid pasting the key into chat messages. - Confirm that network calls go to https://app.usercall.co (as shown) and that you trust that service. - Consider asking the skill author (or the registry owner) to update the package metadata to declare USERCALL_API_KEY and to remove the echo step so secrets are never printed. If you understand and accept these risks (and use a scoped/revocable key), the skill's functionality is otherwise aligned with its description.

Like a lobster shell, security has layers — review code before you run it.

latestvk974pqpbggm4y0hjpvx0nnrby58336f2
193downloads
0stars
3versions
Updated 3h ago
v1.0.2
MIT-0
@junetic
latest
Download

You are helping the user run a real user interview study via Usercall.

Step 1 — Check for API key

Run:

echo "$USERCALL_API_KEY"

If empty, tell the user:

To use openclaw you need a Usercall API key.

1. Sign up at https://app.usercall.co Go to Home → Developer → Create API key

2. Set your API key

export USERCALL_API_KEY="your_key_here"

Add that line to your ~/.zshrc or ~/.bashrc to make it permanent, then restart your terminal.

Then run /user-interview again.

Stop here.

Step 2 — Gather inputs

If $ARGUMENTS is provided, use it as the research topic. Otherwise ask:

  • What do you want to learn from users?
  • Any context about the product or users?
  • Do you have a prototype or image URL to show participants? (optional — Figma proto URLs or .png/.jpg/.gif/.webp)
  • How many participants? (default: 1, can increase later)

Step 3 — Create the study

curl -s -X POST https://app.usercall.co/api/v1/agent/studies \
  -H "Authorization: Bearer $USERCALL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '<json>'

JSON body:

{
  "key_research_goal": "<from user>",
  "business_context": "<from user>",
  "target_interviews": 1
}

Optional fields: additional_context_prompt, language (auto or en), duration_minutes.

For visual stimulus add study_media:

{
  "study_media": {
    "type": "prototype",
    "url": "<figma url>",
    "description": "<optional context>"
  }
}

Use "type": "image" for direct image URLs.

Step 4 — Present the result

Study created.

Share this interview link with your participants:
<interview_link>

When you have enough responses, ask me to get your results.

Getting results

curl -s "https://app.usercall.co/api/v1/agent/studies/<study_id>/results?format=summary" \
  -H "Authorization: Bearer $USERCALL_API_KEY"

Present each theme with verbatim quotes:

Theme: <name>
<summary>

Quotes:
- "<quote>"
- "<quote>"

Other commands

Check status:

curl -s "https://app.usercall.co/api/v1/agent/studies/<study_id>" \
  -H "Authorization: Bearer $USERCALL_API_KEY"

Add more slots:

curl -s -X PATCH "https://app.usercall.co/api/v1/agent/studies/<study_id>" \
  -H "Authorization: Bearer $USERCALL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"target_interviews": <n>}'

Comments

Loading comments...