ClawHub

Content Generation

v1.0.0

Generate high-quality content across multiple formats. Create articles, reports, social media posts, marketing copy, and other content types with professiona...

1· 2.8k·22 current·24 all-time
by@tobisamaa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims only to generate content, but the manifest requires BRAVE_API_KEY (a service-specific credential) and declares installing axios as a binary. A content-generation instruction-only skill would not obviously need a Brave API key; requiring it without explanation is disproportionate.
!
Instruction Scope
The SKILL.md prose describes research and content workflows but never references BRAVE_API_KEY, curl/jq/git usage, or any specific external API endpoints. The runtime instructions in metadata (env and install) are not reflected in the visible instructions, creating a gap between what the agent will be expected to do and what the documentation tells you.
!
Install Mechanism
The install spec uses npm to add 'axios' and claims to create a binary named 'axios'. axios is a JS HTTP library (not typically shipped as a CLI), so the 'creates binaries' entry is incorrect or misleading. Installing an npm package for an instruction-only skill that has no code files is also unexpected.
!
Credentials
The single required env var is BRAVE_API_KEY, which appears unrelated to the stated content-generation purpose. No primary credential is declared and the SKILL.md doesn't justify this API key. Asking for a service API key without explaining its use is disproportionate.
Persistence & Privilege
The skill does not request always:true and has normal invocation settings. It does not declare config paths or system-wide changes, so persistence/privilege requests appear proportional.
What to consider before installing
Do not provide your BRAVE_API_KEY or install this skill until the author explains why that key is required and how it will be used. Ask for: (1) a clear description of which external APIs the skill calls (and why Brave specifically), (2) why an npm package is installed for an instruction-only skill and why it would create a CLI binary, and (3) whether git/curl/jq are actually needed. If you must test it, run it in a sandboxed environment without secrets and inspect network calls. If the author cannot justify the env/ install requirements, avoid installing or supplying credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk977vm1kb5njc1b5pdp0sd9pyx81pd4b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binscurl, jq, git
EnvBRAVE_API_KEY

Install

Node
Bins: axios
npm i -g axios

Comments