ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawRadar — Real-Time Trend Monitor for OpenClaw

v1.0.0

Monitors AI, indie hacking, and entrepreneurship trends on X and Reddit in real-time, scoring viral posts for timely Telegram alerts with engagement insights.

0· 52·0 current·0 all-time
by@tenlifejosh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and SKILL.md expect continuous monitoring of X and Reddit and delivery of Telegram alerts (and even posting replies/threads), but the skill declares no required environment variables or credentials (e.g., X/Twitter OAuth, Reddit client, Telegram bot token) and no install or binaries. That mismatch suggests either the SKILL.md is incomplete or the skill expects the agent to use unprivileged scraping or the user's session — none of which is documented or justified.
!
Instruction Scope
Runtime instructions tell the agent to 'open the URL', 'read the content + top replies', and to 'post' replies/threads using templates, and reference a config path (clawradar/radar.py). Those actions imply reading local files and interacting with external services on behalf of the user. The SKILL.md does not document how to authenticate, what network endpoints are used, or whether the agent should use the user's accounts, which grants broad, ambiguous discretion.
Install Mechanism
There is no install spec and no code files — instruction-only — so nothing will be written to disk by an installer. This is low-risk from an install perspective, but increases the importance of the instruction content because that's the entire attack surface.
!
Credentials
The skill would reasonably require service credentials (Telegram bot token/chat id, X/Twitter API keys or cookie/session, Reddit API credentials) and possibly a local config file, but it declares none. Requiring no environment variables while instructing posting and alerting is disproportionate and opaque — it fails to justify or declare the secrets it will need.
Persistence & Privilege
always is false and the skill is not force-installed. However, the SKILL.md instructs autonomous behaviors (monitoring, alerting, and posting). If you allow autonomous invocation, a coherent implementation would need account credentials and posting privileges — combine autonomous invocation with undeclared posting permissions raises risk. The skill does reference a local config path (clawradar/radar.py) without declaring it in required config paths.
Scan Findings in Context
[no_scan_findings] expected: The regex-based scanner found nothing to analyze because this is an instruction-only skill (no code files). That is consistent with the package contents, but does not excuse the SKILL.md's missing documentation about credentials and file usage.
What to consider before installing
Do not install or enable this skill until the author clarifies how it accesses X/Twitter, Reddit, and Telegram. Specifically: ask for the source repository or homepage; require explicit documentation of which credentials are needed (e.g., TELEGRAM_BOT_TOKEN and CHAT_ID, X API/OAuth keys or scraping method, Reddit client_id/secret) and where they are stored; confirm whether the skill will post on your behalf and what account it will use; insist the skill list all file paths it will read or write (the SKILL.md references clawradar/radar.py); and request a minimal, auditable implementation (or run it in a sandbox) before granting network or credential access. If you permit autonomous invocation, consider disabling it until you have verified credentials and code, since an autonomous skill that can post on social accounts has a high blast radius.

Like a lobster shell, security has layers — review code before you run it.

alertsvk9768y9jz46ee2vf9jvftwya2583eca5latestvk9768y9jz46ee2vf9jvftwya2583eca5monitoringvk9768y9jz46ee2vf9jvftwya2583eca5radarvk9768y9jz46ee2vf9jvftwya2583eca5redditvk9768y9jz46ee2vf9jvftwya2583eca5trendsvk9768y9jz46ee2vf9jvftwya2583eca5viralvk9768y9jz46ee2vf9jvftwya2583eca5xvk9768y9jz46ee2vf9jvftwya2583eca5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments