Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Super Marketing Pro
v3.1.0Full-stack B2B marketing execution skill equivalent to a 10-person agency team. Use for: building ICP and brand messaging, generating multi-platform content...
⭐ 0· 138·0 current·0 all-time
byDa Wei@wd041216-bit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with included scripts and reference docs: the package legitimately implements ICP/strategy, content repurposing, email sequence, SEO and reporting. However the registry metadata claims 'instruction-only' / no required env vars while the shipped scripts clearly require the openai client and an OPENAI_API_KEY — a manifest mismatch that should have been declared.
Instruction Scope
SKILL.md and scripts instruct the agent to run the provided Python scripts (strategy_builder, content_repurposer, email generator, competitor monitor, etc.). Several scripts read user-supplied local files (source docs, batch lists) and pass their contents to an LLM call (via llm_utils.call_llm). That implies sending potentially sensitive content to an external model endpoint. The SKILL.md does not explicitly warn about external data transmission or specify which env var is required in the registry, reducing transparency.
Install Mechanism
No installer or remote download steps are declared; code is bundled with the skill (9 scripts + docs). The only external runtime dependency is the Python 'openai' package (installed via pip), which is expected for LLM-based scripts. There are no obscure download URLs or archive extractions in the manifest.
Credentials
The code (llm_utils.py referenced in SKILL.md) requires OPENAI_API_KEY and the SKILL.md/README instructs the user to set an OpenAI-compatible API key and install openai. Yet the registry lists no required env vars or primary credential. That omission is disproportionate and misleading: an API key is necessary for normal operation and will be used to transmit content to an external LLM service.
Persistence & Privilege
Skill is not always:true and is user-invocable; it does not request elevated platform privileges or modify other skill configs. It will be able to run autonomously only if the agent chooses to invoke it (default behavior), which is normal for skills.
What to consider before installing
This skill largely matches its stated marketing function, but exercise caution before installing: 1) The bundled Python scripts call an external LLM and require an OPENAI_API_KEY (and the openai package), but the registry manifest did not list any required env vars — treat that as a red flag and add the missing declaration or ask the author for clarity. 2) Any long-form source files you feed into content_repurposer or other scripts will be sent to the LLM provider; do not include PII, secrets, customer data, or proprietary documents you can't expose. 3) Inspect scripts/llm_utils.py to confirm which endpoint, model, and timeout/retry/logging behavior are used, and ensure API calls are not logged to disk or sent to additional endpoints. 4) Run the skill in an isolated environment first (no production keys) and monitor network calls to confirm only the expected LLM endpoints are used. 5) Prefer creating a scoped/test API key with limited quota and audit logs; if you accept the skill, ask the maintainer to update the manifest to declare OPENAI_API_KEY and other runtime requirements for transparency.Like a lobster shell, security has layers — review code before you run it.
b2bvk971btkp6zm35sdg3bej2m257h833b9scontentvk971btkp6zm35sdg3bej2m257h833b9slatestvk971btkp6zm35sdg3bej2m257h833b9sllmvk971btkp6zm35sdg3bej2m257h833b9smanusvk971btkp6zm35sdg3bej2m257h833b9smarketingvk971btkp6zm35sdg3bej2m257h833b9sopenclawvk971btkp6zm35sdg3bej2m257h833b9sseovk971btkp6zm35sdg3bej2m257h833b9s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.