Content Draft Generator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: content-draft-generator Version: 1.0.2 The skill is classified as suspicious primarily due to a misleading 'Security Note' in `SKILL.md` which falsely claims 'No external services or credentials required'. In contradiction, the skill explicitly instructs the agent to use the `web_fetch` tool and directly call the `https://api.fxtwitter.com` API to fetch content from user-provided URLs. While these network calls are for the skill's stated purpose (content analysis), the misrepresentation raises concerns about trustworthiness and developer intent. The ability to fetch arbitrary user-provided URLs also presents a potential vulnerability if the underlying `web_fetch` tool or environment is susceptible to Server-Side Request Forgery (SSRF) or similar attacks, although the skill itself does not demonstrate intent to exploit such vulnerabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misleading or adversarial reference page could skew the generated prompt or drafts if its text is followed too literally.
User-provided webpages influence a prompt that the agent later executes. This is central to the skill, but reference content can include text that should not be treated as instructions.
Fetch content from all reference URLs (use web_fetch tool) ... create a two-phase prompt ... Execute Meta Prompt
Use trusted reference URLs and keep fetched page text as source material only; review the generated meta-prompt and drafts before relying on them.
Twitter/X reference URLs you provide may be sent to FxTwitter to retrieve the content.
The skill discloses that Twitter/X URLs are fetched through a third-party API endpoint. This is purpose-aligned, but it is an external data flow users should understand.
For Twitter/X URLs, transform to FxTwitter API: `https://api.fxtwitter.com/username/status/123456`
Only provide public, non-sensitive Twitter/X links and avoid using private or confidential URLs as references.
Your unpublished ideas, audience details, positioning, and drafts may remain in local markdown files after the session.
The workflow intentionally creates persistent local files containing analysis, user context, and draft content. This is proportionate to the purpose, but may retain sensitive ideas or marketing plans.
Save complete output to `content-draft/draft-{timestamp}.md` ... Include: Context summary from Phase 1 ... Preserve all generated files—never overwriteReview where the files are saved and delete or protect them if they contain confidential content.