Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DeepContent
v1.2.0DeepContent recipe lookup, content generation, and asset management. Use for: recipes, deepcontent recipes, content assets, list content, search deepcontent,...
⭐ 0· 94·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the instructions: the skill is for recipe-based content and asset generation and the SKILL.md defines create/list tools and required fields. Nothing in the spec requests unrelated credentials or binaries, so purpose and declared requirements are mostly coherent. Note: the skill assumes access to an external 'deepcontent' MCP server and associated tools, which are not further described in metadata or required env vars.
Instruction Scope
The instructions explicitly tell the agent to 'search online' for logos, headshots, and template images and to use public URLs; they also tell the agent to prefer MCP tool calls, not HTTP requests. That creates ambiguity about how web searches and asset retrievals should be performed. Searching external sites for personal headshots or company logos can raise privacy/copyright issues and could cause the agent to fetch arbitrary external URLs. The instructions also permit inferring missing event data and automatically filling fields, which broadens the agent's autonomy.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes on-disk risk and is consistent with the declared metadata.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not declare access to unrelated secrets or system resources.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent platform privileges or to modify other skills. Autonomous invocation is allowed by default but is not combined with other high-risk factors here.
What to consider before installing
This skill appears to do what it says (generate posters/speaker cards/partnership posts) but its runtime instructions ask the agent to search the web for logos, headshots and template images and to use public URLs without specifying how those searches are done. Before installing or enabling it: 1) Confirm how your agent/platform implements the 'search online' step and whether it will access your accounts or scrape third-party sites. 2) Prefer to provide your own template, logo, and headshot URLs to avoid the agent picking arbitrary external assets. 3) Be mindful of copyright and privacy — avoid using images of people without permission. 4) Ask the skill author for the MCP server endpoint and privacy/retention details for generated content (generation_id is persisted per SKILL.md). 5) Test in a limited context first (caption-only or small requests) and monitor any external network access the agent makes. These steps will reduce the risk that the agent fetches unwanted or copyrighted material or follows ambiguous web-scraping instructions.Like a lobster shell, security has layers — review code before you run it.
latestvk97928e6k69h50jwn56ght75ed84akw1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.