ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Marketing Mode

v1.0.0

Marketing Mode combines 23 comprehensive marketing skills covering strategy, psychology, content, SEO, conversion optimization, and paid growth. Use when users need marketing strategy, copywriting, SEO help, conversion optimization, paid advertising, or any marketing tactic.

135· 20.8k·170 current·183 all-time
bySeth Rose@thesethrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the content: this is a marketing knowledge/mode skill. However, requiring node/npm (declared in SKILL.md and skill.json) is disproportionate for an instruction-only skill that contains only prompts and documentation; those runtime binaries are only justified if a separate npm package is actually installed.
Instruction Scope
SKILL.md and mode-prompt.md are focused on marketing strategy, asking clarifying questions and recommending tactics. They do not instruct the agent to read filesystem paths, environment variables, or send data to external endpoints beyond normal operation.
!
Install Mechanism
Top-level registry metadata claimed no install spec, yet skill.json contains an npm install entry (npm install -g @thesethrose/marketing-mode) and SKILL.md has an install metadata block. The repository and npm package referenced are external — if a user runs the suggested install, they will fetch code from npm/GitHub not included in this bundle. That mismatch (instruction-only files but declared external package) is inconsistent and raises risk because installing the remote package could execute arbitrary code.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportional to a marketing mode which shouldn't need secrets.
Persistence & Privilege
Default invocation settings are used (always: false, user-invocable: true, autonomous invocation allowed). Nothing requests permanent or elevated platform-wide presence.
What to consider before installing
This skill's content (prompts and marketing frameworks) is benign and matches its description, but the manifests are inconsistent: skill.json advertises an npm package (@thesethrose/marketing-mode) and SKILL.md declares node/npm requirements even though there are no code files here. That means someone following the README/install hints would download and run code from npm/GitHub maintained by an external author. Before installing or running the npm package, verify the published package and repository: check the npmjs.com page and GitHub repo, read the package source, look for network calls or credential access, and confirm the maintainer's reputation. If you don't want to install external code, you can still use the skill's instruction-only content locally (no install). If you plan to install, consider doing so in a sandboxed environment and auditing the package first. If you want higher assurance, ask the publisher to provide the package source inline or a signed release and more information about why node/npm are required.

Like a lobster shell, security has layers — review code before you run it.

latestvk972hx34bvzfe6jayfh1z5qh0x7zntge

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments