ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Trend Hunter Pro

v1.0.0

A high-performance automation agent that turns global trends into viral social media posts for X (Twitter), Xiaohongshu, and LinkedIn — built on the exact sc...

0· 775·3 current·4 all-time
by@traprapitalianazional-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The manifest and SKILL.md claim multi‑platform posting (X, Xiaohongshu, LinkedIn) but the included workflow.json only targets TechCrunch scraping and X (browser automation). Registry metadata says no required environment variables or credentials, yet manifest.parameters and workflow.environment require an API_KEY / DEEPSEEK_API_KEY. The run_command references a local Python script (daily_content_automation.py) that is not present in this bundle. These mismatches indicate the declared purpose, actual steps, and registry metadata are not coherent.
!
Instruction Scope
SKILL.md instructs the user to upload a .zip and enter model API keys (OpenAI/Gemini/DeepSeek). workflow.json instructs scraping TechCrunch, generating content via DeepSeek, saving markdown drafts under skills/x-ai-hunter/outputs/, and using a browser_subagent to open X and place drafts in the draft box. The instructions therefore involve network scraping, writing files to the user's workspace, and browser automation that can interact with logged-in sessions — none of which are reflected in the registry metadata. The instructions do not describe how API keys are stored/used and give broad discretion about 'persona' and scheduling.
Install Mechanism
There is no install specification (instruction-only), which is low risk in isolation. However SKILL.md and workflow.json expect a code package and a Python script to exist; since no code files are present here, the documented run_command and file paths are inconsistent with the actual bundle. That discrepancy raises operational risks (you may be asked to upload/run external archives).
!
Credentials
Registry metadata declares no required env vars or primary credential, but manifest.json defines an API_KEY parameter and workflow.json lists DEEPSEEK_API_KEY as a required env var. The SKILL.md also mentions OpenAI/Gemini keys. Requesting model API keys is plausible for text generation, but the mismatch between declared and actual requirements (and the vague instruction to provide any of multiple provider keys) is disproportionate and unclear — you should not supply secrets until you confirm exactly which service and how keys are used and stored.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It will write draft files to an outputs directory and use a browser automation subagent to interact with web pages, which is expected for a posting automation tool. No evidence it modifies other skills or global agent config.
What to consider before installing
This package has multiple internal inconsistencies — do not provide API keys or upload code until you verify details. Specifically: (1) confirm whether the skill actually includes the Python script or other code it references; inspect that code before running. (2) Verify which model provider is used (DeepSeek vs OpenAI/Gemini) and how API keys will be stored/transmitted. (3) Understand that the workflow will write drafts to skills/x-ai-hunter/outputs/ and will use browser automation to interact with your logged-in X account (it could post if misconfigured). (4) Ask the publisher for a full code bundle or repository link and a clear privacy/security description (where keys are sent, retention of outputs). (5) If you must test, do so in an isolated account or sandbox, and never reuse high‑privilege credentials. Finally, the manifest's attribution claims and the 'exact same logic as Yusef' are unrelated to security but increase the need to verify licensing and provenance.

Like a lobster shell, security has layers — review code before you run it.

automationvk97049r2vkk6cy8pzpj4yzgwyn81sd8wlatestvk97049r2vkk6cy8pzpj4yzgwyn81sd8w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments