ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Customer Service Scripts Generator

v1.0.0

Generate professional customer service scripts for 10+ industries using AI, with emotion analysis and quality scoring for complaints, sales, and support.

0· 134·1 current·1 all-time
by@yang1002378395-cmyk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description match the implementation: the code generates scripts, performs simple sentiment analysis, and scores replies. However the code requires an OPENCLAW_API_KEY and instantiates an OpenClaw client (sending prompts externally). The registry metadata claims no required env vars/credentials and the SKILL.md example does not mention setting an API key — this is an incoherence between claimed requirements and actual capabilities.
!
Instruction Scope
SKILL.md shows usage that assumes ScriptGenerator() will work without configuration, but the class raises a ValueError if OPENCLAW_API_KEY is not set. The runtime instructions do not disclose that customer messages are sent to the OpenClaw API (remote model invocation), nor do they warn about privacy implications. Other than that, the instructions do not attempt to read unrelated files or secrets.
Install Mechanism
No install spec is bundled; SKILL.md suggests 'pip install openclaw' which is a standard package install. There are no downloads from arbitrary URLs or archive extraction steps in the skill bundle. Review of the external 'openclaw' package is recommended before use.
!
Credentials
The code requires a single API key (OPENCLAW_API_KEY) which is proportionate to calling an external API. However, the skill metadata declares no required env vars and SKILL.md fails to document this credential — the missing declaration is a notable inconsistency. No other secrets are requested.
Persistence & Privilege
The skill is not always-enabled, does not request persistent/privileged system changes, and does not modify other skills. Autonomous invocation is allowed (platform default) but not by itself a red flag here.
What to consider before installing
This skill appears to implement the advertised functionality, but the Python code requires an OPENCLAW_API_KEY and sends prompts to the OpenClaw API — yet the metadata and SKILL.md do not mention this. Before installing or using it: - Do not assume the example will work without setting OPENCLAW_API_KEY; set the key if you trust the OpenClaw service. - Understand that customer messages (potentially containing PII) will be transmitted to an external API. Avoid sending sensitive personal or credential data. - Verify the provenance of the 'openclaw' Python package and the skill owner (no homepage provided). Prefer packages from known authors or inspect package source code. - Ask the author to update SKILL.md and registry metadata to declare the required OPENCLAW_API_KEY and to document where data is sent and stored. - If you need stronger assurance, run the code in an isolated environment and monitor network calls, or replace the OpenClaw client with a trusted local model or a clearly documented API client.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x4e4kgqh7zsxk0xpk3r8ms832zx6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments