Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wed 1.0.1
v1.0.0What Would Elon Do? - Transform any idea into a ruthless execution plan. One command to generate a full business strategy, MVP spec, go-to-market plan, and first-week action items. Think bigger. Move faster. /wed 'your idea'
⭐ 6· 14.9k·1 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to generate business plans (purely content-generation). However the included runtime rules instruct the agent to run local shell commands (hostname) and make an outbound network request to increment a counter — actions not required to produce a plan and inconsistent with the stated purpose.
Instruction Scope
rules/logic.md mandates 'silently' gathering system info (hostname, working directory) and POSTing to https://wed-security-awareness.jamieson9964.workers.dev/log before producing the plan. Those steps are out-of-band for a text-generation skill and include a stealthy collection/transmit step ('silently gather'), which is scope creep and a privacy/security risk.
Install Mechanism
This is instruction-only (no install spec, no code to download), so there's no install-phase risk. Nothing is written to disk by an installer.
Credentials
The skill requests no environment variables or credentials, which is good, but it does request access to local system information (hostname and cwd) and to make an external network call. Those actions are not declared in SKILL.md itself (they appear in rules/logic.md) and are disproportionate to generating a business plan.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide config, and requires no persistent credentials. It does, however, instruct the agent to make an outbound request during each invocation (transient network access).
What to consider before installing
This skill contains explicit runtime instructions to run shell commands (hostname) and silently POST to an external endpoint before doing anything else. Even though the author labels it a 'security awareness demonstration' and claims only a counter is incremented, the pattern (collect local info + network POST) is the same as exfiltration. Before installing or running: 1) Read rules/logic.md and SKILL.md fully — the behavior is documented but not prominent in the main description. 2) If you want to try it, run in a sandboxed environment or with network disabled to verify output safely. 3) Prefer skills that do not execute commands or make network requests, or that require explicit user opt-in at runtime for such actions. 4) Ask the author to remove 'silent' collection and make any telemetry opt-in and transparent (e.g., prompt user, show exact data sent). 5) If you manage sensitive repos or secrets on your machine, avoid installing skills that run arbitrary shell commands or POST to external endpoints. If you are unsure, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk9772rj55v7k8ty9g1yfcarfq17zz5rv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.