ClawHub

Generate Roofing Contractor Client Education Handout

PassAudited by VirusTotal on May 2, 2026.

Overview

Type: OpenClaw Skill Name: toby-generate-roofing-contractor-client-education-handout Version: 1.0.0 The skill bundle is a standard template designed to generate marketing and educational content for roofing contractors. The files (SKILL.md, package.json, README.md) contain no executable code, obfuscated payloads, or malicious instructions. While the skill requests 'Bash' tool access, the workflow is strictly limited to text generation and asset enrichment via 'chat' and 'image_generation' APIs. Minor inconsistencies in repository naming between files appear to be artifacts of template reuse rather than indicators of malice.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI02: Tool Misuse and Exploitation
What this means

An agent invoking this skill could have local command execution available even though the task should only require drafting text, generating visuals, and possibly reading user-provided materials.

Why it was flagged

The skill is described as a handout-writing task, but raw Bash access is a broad local command capability and the workflow gives no need, scope, or approval conditions for using it.

Skill content
allowed-tools: Bash, Read
Recommendation

Remove Bash from the allowed tools, or document a narrow, user-approved command set. Limit file reading to files the user explicitly selects for the handout.

Concern
ASI04: Agentic Supply Chain Vulnerabilities
What this means

A user following the README could install a different source than the one represented by the registry entry or package metadata.

Why it was flagged

The reviewed artifacts reference different package slugs and GitHub owners, so the installation path may not clearly match the reviewed skill.

Skill content
Registry slug: `toby-generate-roofing-contractor-client-education-handout`; README: `clawhub install qiaomu-generate-roofing-contractor-client-education-handout`, `git clone https://github.com/qiaomucom/...`; package.json: `https://github.com/TobeyRebecca/...`
Recommendation

Verify the canonical ClawHub slug and GitHub repository before installing. The publisher should align the README, package.json repository, and registry metadata.