Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wadiz DM Pipeline
v1.0.0와디즈/텀블벅 펀딩 프로젝트를 크롤링해서 달성률 50~99% 메이커에게 보낼 개인화 DM을 자동 생성하는 파이프라인. 달비님 맥에서 직접 실행. 사용 시 — 와디즈 DM 뽑아줘, 텀블벅 프로젝트 스크랩해서 DM 만들어줘, 광고 소재 서비스 DM 파이프라인 돌려줘.
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (crawl Wadiz/텀블벅 projects and produce personalized DMs) matches the included script: it scrapes category pages, filters projects with 50–99% funding, extracts detail text, and generates DMs. However, the registry metadata declares no required environment variables or primary credential while the script requires an ANTHROPIC_API_KEY to perform personalized DM generation. The need for an LLM API key is coherent with the stated purpose, but its absence from metadata is an inconsistency.
Instruction Scope
SKILL.md explains local execution and Playwright requirements and the script implements only crawling, local CSV output, and DM generation. Important scope note: when an ANTHROPIC_API_KEY is present the script transmits scraped project title/description to Anthropic's API to generate DM text — SKILL.md does not explicitly call out that scraped content will be sent to a third party (though the script prints a prompt showing that behavior). The script does not attempt to read unrelated local files or system credentials.
Install Mechanism
There is no install spec (instruction-only skill plus a Python script). Installation risk is low: dependencies are standard Python packages (playwright, anthropic) installed via pip per the README. No remote binary downloads or archive extraction were specified.
Credentials
The script requires ANTHROPIC_API_KEY (used to call Anthropic's API), which is appropriate for LLM-powered DM generation — but the registry metadata lists no required env vars or primary credential. That mismatch is a meaningful incoherence: the skill will prompt you to provide a (sensitive) API key at runtime but did not declare it in its manifest. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills or system-wide settings, and writes output only to an output/ CSV in the skill folder. It does open a browser in headful mode (headless=False) which will display UI on the host.
What to consider before installing
Before installing or running: (1) Be aware the script scrapes project titles/descriptions and will send that text to Anthropic if you supply ANTHROPIC_API_KEY — consider privacy and whether you want scraped maker content transmitted to a third party. (2) The package manifest omits the required ANTHROPIC_API_KEY; the code will ask you to set it (export ANTHROPIC_API_KEY='sk-...'). Treat that key as sensitive — use a dedicated/revocable key and revoke it if you stop using the skill. (3) The SKILL.md asks you to run locally (Mac) — follow that: running on a public server could increase blast radius. (4) Review the included scripts (pipeline.py) yourself or run in an isolated environment before giving any credentials. (5) Consider legal/ethical implications of scraping and sending unsolicited DMs to makers; ensure compliance with site Terms of Service and local regulations. If you want a lower-risk test, run without ANTHROPIC_API_KEY to use the local fallback template (no external API calls).Like a lobster shell, security has layers — review code before you run it.
latestvk9767h3g8d6p8xxetpbppnk78n839x8s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.