ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

producthunt-wingman

v1.6.1

Premium PH outreach agent — automates community discovery, enrichment, and LinkedIn engagement locally.

1· 89·0 current·0 all-time
byAbinash Senapati@techievena

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for techievena/ph-wingman.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "producthunt-wingman" (techievena/ph-wingman) from ClawHub.
Skill page: https://clawhub.ai/techievena/ph-wingman
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: OPENAI_API_KEY, LAUNCH_DATE, PH_LAUNCH_URL
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install techievena/ph-wingman

ClawHub CLI

Package manager switcher

npx clawhub@latest install ph-wingman
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (ProductHunt outreach + LinkedIn automation) matches the listed environment variables (OPENAI_API_KEY, LAUNCH_DATE, PH_LAUNCH_URL). However the SKILL.md repeatedly describes executing code in a 'server/' directory (server/main.py, server/linkedin_agent.py) and managing a local background service — yet the skill bundle contains no code or install spec. That mismatch (instructions expecting an installed package but no install mechanism or files present) is a meaningful incoherence.
!
Instruction Scope
The runtime instructions direct the agent to check a local dashboard at http://localhost:3847, run ./setup.sh, start python3 main.py from a server/ directory, open a local browser for LinkedIn login, and rely on cron for scheduled runs. Those actions imply file execution, browser session storage, network activity, and scheduled persistence. Because the referenced files are not present in the package, it's unclear what will actually execute — the instructions grant broad scope for local file I/O and network calls that should be reviewed in concrete code before running.
!
Install Mechanism
There is no install specification and no code files in the package, yet SKILL.md assumes an installed server and setup.sh. Either the skill is missing its implementation (packaging error) or it expects the user to fetch/run external code (not documented in an install spec). Instruction-only skills typically do not ask to run local scripts; this mismatch increases risk because the actual code source and integrity are unknown.
Credentials
The required env vars (OPENAI_API_KEY, LAUNCH_DATE, PH_LAUNCH_URL) are reasonable for message personalization and launch context. SKILL.md also lists optional ANTHROPIC_API_KEY and GOOGLE_API_KEY, which are plausible as alternatives. No unrelated cloud credentials are requested. However, the agent will save a local browser session (server/.browser_profile/) which contains sensitive session cookies/tokens — that storage is not represented in requiredEnv and is a privacy surface to consider.
Persistence & Privilege
The skill does not set always:true and is user-invocable (normal). But instructions describe running a background server and scheduling daily cron jobs, which would create persistent activity on the host. Because there is no packaged code shown, it's unclear who or what would install those persistent components — treat persistence as potentially sensitive and require code review before enabling.
What to consider before installing
Do not run this skill as-is. The SKILL.md describes running server/main.py, setup.sh, creating cron jobs, and storing a local browser profile — but the package you downloaded contains no server/ code or install steps. Before installing or providing secrets (OPENAI_API_KEY): 1) Ask the publisher for the full source or a verified release (the skill.json points to a GitHub repo); verify that the repository contains the referenced server/ files and inspect setup.sh, server/main.py, and server/linkedin_agent.py for network endpoints and data handling. 2) Run any code in an isolated environment (VM/container) and avoid reusing your primary LinkedIn account—session cookies stored under server/.browser_profile can be sensitive. 3) If you must test, remove scheduling/cron steps until you’ve inspected the code. 4) If the publisher cannot supply the missing server code or an install mechanism tied to a trusted release, treat the skill as untrusted and do not provide your OpenAI API key or other credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvOPENAI_API_KEY, LAUNCH_DATE, PH_LAUNCH_URL
Primary envOPENAI_API_KEY
latestvk97c6yhb4emq5ee5ajzrq8g9hh85d1vn
89downloads
1stars
5versions
Updated 17h ago
v1.6.1
MIT-0
Abinash Senapati@techievena
latest
Download

ProductHunt Wingman: Local-First Outreach

Premium ProductHunt outreach agent. This skill operates by managing a local background server that orchestrates community discovery, profile enrichment, and LinkedIn engagement.

🛡️ Security & Privacy Audit

[!IMPORTANT] This skill executes code located in the server/ directory of the installed package. Before your first run, please review the local files (server/main.py, server/linkedin_agent.py) to verify network calls and data handling. The agent uses your local browser session for LinkedIn; it never asks for or stores your password.

📦 Prerequisites

  • Python 3.9+ and Chrome/Chromium installed.
  • Environment Variables:
    • OPENAI_API_KEY: Required for message personalization.
    • LAUNCH_DATE: Your ProductHunt launch date (YYYY-MM-DD).
    • PH_LAUNCH_URL: Your product's PH launch URL.

🛠️ Runtime Instructions

  1. Local Server Check:
    • The agent first checks if the Mission Control dashboard is reachable at http://localhost:3847.
    • If not, it enters the server/ directory, ensures the virtual environment is ready (./setup.sh), and starts the service (python3 main.py).
  2. Dashboard Management:
    • Once the server is live, the agent can trigger pipelines, check status, or pause/resume outreach by making local API calls to the dashboard.
  3. LinkedIn Authentication:
    • On the first run, a local browser window will open. You must manually log in to LinkedIn in this window. The session is saved locally in server/.browser_profile/.

🗣️ Voice/Chat Commands

  • "Start my PH outreach" → Triggers the 5-phase discovery and enrichment pipeline.
  • "Enrich new prospects" → Systematically visits profiles to extract rich "Genome" data.
  • "Check my launch status" → Returns a high-density summary of the outreach funnel.
  • "Pause wingman" → Pauses the background scheduler.

📅 Automatic Triggers

  • Daily Discovery: Runs at 9 AM local time via cron.
  • Outreach Loop: Enforces connection budgets to protect your account.

🚀 Dashboard Features

Accessible locally at http://localhost:3847:

  • Prospect Genome: Deep dive into each member's profile data.
  • Message Editor: Review and manually edit AI-generated outreach DMs.
  • Outreach Kanban: Real-time visibility into the campaign funnel.

Comments

Loading comments...