ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Placeholder Skill

v0.0.1

Content Claw is an automated content generation engine that transforms source material (papers, podcasts, case studies, Reddit threads, GitHub repos) into pl...

0· 96·0 current·0 all-time
by@thierrypdamiba
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description advertises integrations (image models, Exa search, Reddit/X publishing, brand graphs, engagement tracking) that would normally require binaries, network access, and API credentials, yet the skill declares no required env vars, binaries, or install artifacts. That inconsistency indicates the skill cannot perform the claimed capabilities as-is.
!
Instruction Scope
The runtime instructions simply tell the agent to run an external installer command (`clawhub install contentclaw`) and otherwise redirect to a 'main' skill. The SKILL.md gives the agent permission to invoke a CLI that may download and run code, but does not declare that CLI as required or explain what will be installed or what data will be sent externally.
Install Mechanism
There is no install spec included (instruction-only), which lowers direct risk from this package. However, the SKILL.md explicitly instructs use of an external installer (clawhub), so the security depends entirely on that external tool and the 'contentclaw' package it installs—neither of which are provided or verified here.
!
Credentials
The skill's advertised features (publishing to Reddit/X, image generation, analytics) would normally require API keys, OAuth tokens, or service credentials, but the skill declares no env vars or primary credential. That mismatch is suspicious: either credentials are expected elsewhere (not declared) or the description is misleading.
Persistence & Privilege
The skill does not request 'always: true' and lists no install actions that would modify other skills or system-wide configuration. There is no evidence here of elevated persistence or privilege requests.
Scan Findings in Context
[empty_codebase_or_instruction_only] expected: The regex-based scanner had no code files to analyze because this is an instruction-only skill (only SKILL.md). That explains the lack of scan findings but does not validate the SKILL.md contents.
What to consider before installing
Do not run the suggested `clawhub install contentclaw` or install this skill until you verify the source. Ask the publisher for the full 'contentclaw' package repository or a homepage, a clear list of required credentials and their scopes (e.g., Reddit/X OAuth tokens, image-generation API keys), and the exact network endpoints used. If you must try it, inspect the code of the main package first, confirm the 'clawhub' installer is legitimate, and run the installer in a sandboxed environment. Be especially cautious about granting OAuth tokens or API keys—verify minimal scopes and revoke them if behavior is unexpected.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ms8vqgzqb5hmkzbwy7crkx834hwh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments