ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content Forge

v1.0.0

Generate content ideas, blog outlines, social media posts, and headlines. Use when the user needs help creating content for blogs, Twitter/X threads, LinkedI...

0· 72·0 current·0 all-time
by千年虫@xunuowu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included CLI script all align: the tool generates blog ideas, social posts, calendars, and headlines using local templates and randomness. There are no declared env vars, binaries, or config paths that are unrelated to content generation.
Instruction Scope
SKILL.md instructs use of a local CLI with JSON or human-readable output and explicitly states 'No external API calls required' and 'Works offline'. The visible portion of scripts/content-forge.py implements template-based generation and does not reference external services. However, the displayed script content was truncated in the bundle listing, so I could not verify the tail of the file for network or file-system actions.
Install Mechanism
There is no install spec (instruction-only skill) and the code is bundled as a local script. No downloads, package installs, or extraction steps are declared.
Credentials
The skill declares no required environment variables, credentials, or config paths. The visible code does not access environment variables or external credentials.
Persistence & Privilege
The skill is not marked always:true and uses default invocation settings. It does not request elevated persistence or modify other skills/configs in the visible materials.
What to consider before installing
This skill looks like a simple, local template-based content generator and the SKILL.md explicitly says it works offline with no API keys. However, the provided Python file was truncated in the listing, so you should: 1) review the full scripts/content-forge.py file yourself (or ask the publisher to provide the full source) to confirm there are no network calls, telemetry, or unexpected file operations; 2) run it in a sandbox or isolated environment the first time; and 3) avoid granting any additional credentials or system-level permissions unless you can verify they are necessary. If you want higher assurance, request the complete source or a reproducible build/instructions from the publisher.

Like a lobster shell, security has layers — review code before you run it.

blogvk976sm27sdfcckwmcyzrgkd0z983mq61contentvk976sm27sdfcckwmcyzrgkd0z983mq61latestvk976sm27sdfcckwmcyzrgkd0z983mq61marketingvk976sm27sdfcckwmcyzrgkd0z983mq61socialmediavk976sm27sdfcckwmcyzrgkd0z983mq61writingvk976sm27sdfcckwmcyzrgkd0z983mq61

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments