Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tech Blog Generator
v1.0.0Generate professional technical blog posts from simple outlines. Supports Markdown, includes code blocks, and is optimized for SEO.
⭐ 0· 303·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (tech blog generation) align with the included tech-blog-generator.sh which emits Markdown blog posts. Asking for no env vars, no binaries, and no install spec is consistent with a simple shell script. However the SKILL.md documents CLI flags (--tags, -t, --output, --level, templates) that the script does not actually parse; the script uses positional parameters instead. This mismatch between claimed capabilities and actual implementation is a functional inconsistency.
Instruction Scope
SKILL.md instructs users to use flag-based options and templates; the script expects positional arguments and does not implement flags/option parsing. The script also has a logic bug: it emits a heredoc that references $TAGS_TAG_LINE before that variable is set, so tags will not appear in the generated output. Otherwise the script stays within its scope: it only writes to stdout, uses simple utilities (date, tr, cat, echo), and does not read unrelated files or environment variables or contact external endpoints. The mismatch between documented and actual behavior could mislead users.
Install Mechanism
No install specification — instruction-only with a shipped shell script. This is low-risk from an install perspective because nothing is downloaded or extracted at install time.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The script does not access external secrets. This is proportional to the stated purpose.
Persistence & Privilege
Skill is not always-enabled and does not request persistent platform privileges. It does not attempt to modify other skills or global agent settings.
What to consider before installing
This skill appears to be a simple shell-based blog post generator rather than a networked or credentialed tool, but the documentation and code are inconsistent and there is a small bug. Before installing or using it: 1) Review and, if needed, fix the script (move TAGS_TAG_LINE assignment before the heredoc or expand the heredoc after setting variables; add proper flag parsing if you expect --tags/--output/--level). 2) Run it in an isolated environment first to confirm behavior (it writes to stdout and prints a success message, it doesn't create files by itself). 3) Because the source and homepage are unknown, avoid running it with elevated privileges or in environments containing sensitive data until you are satisfied with the code. If you want, I can propose a corrected version of the script that implements flags and fixes the tag bug.Like a lobster shell, security has layers — review code before you run it.
blogvk971gmrptzkkw0106m7sh48dmx82463xgeneratorvk971gmrptzkkw0106m7sh48dmx82463xlatestvk971gmrptzkkw0106m7sh48dmx82463xmarkdownvk971gmrptzkkw0106m7sh48dmx82463xtechnicalvk971gmrptzkkw0106m7sh48dmx82463xwritingvk971gmrptzkkw0106m7sh48dmx82463x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📰 Clawdis