ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beta Survey Analysis

v1.0.0

AI-powered survey response analysis. Analyzes open-ended survey responses, clusters themes, detects sentiment, and generates actionable insights. Uses BERTop...

0· 36·0 current·0 all-time
by@1477009639zw-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description and SKILL.md claim advanced capabilities (BERTopic theme clustering, GPT-4o-mini integration, sentiment detection using libraries/APIs). The shipped code (analyze.py) only performs a very small, local keyword-based sentiment count and produces a simple markdown report. Declared/advertised capabilities are not implemented in the code.
Instruction Scope
Runtime instructions are simple (run python3 analyze.py with input CSV). SKILL.md also states 'Requires: python3, pandas, openai (or Anthropic API key)', but the runtime instructions do not tell the agent to obtain keys or call remote APIs and the code does not access network, environment variables, or external files beyond the input CSV. The SKILL.md language is inconsistent and grants the agent implied permission to use external APIs that the code does not actually call.
Install Mechanism
No install spec is provided and the skill is instruction-only plus a small local Python script. Nothing is downloaded or written during install, which is the lowest-risk install pattern.
!
Credentials
Requires.env is empty and the code does not read environment variables, but SKILL.md references OpenAI/Anthropic API keys and pandas. Those credentials and deps are not declared in the registry metadata. The documentation implying the need for API keys is disproportionate to the actual code and could mislead users into supplying sensitive credentials for no reason.
Persistence & Privilege
The skill is not always-included, does not request persistence, and does not modify agent or system configuration. It runs locally when invoked.
What to consider before installing
This skill's README and metadata promise advanced clustering and LLM-powered analysis and even suggest needing pandas/OpenAI/Anthropic keys, but the actual script is a local, keyword-based sentiment counter and does not use any external APIs or environment variables. Before installing or providing any API keys: (1) ask the publisher why the code does not match the description, (2) inspect or run the analyze.py in a safe, isolated environment to confirm behavior, (3) do not supply OpenAI/Anthropic credentials unless you see code that actually uses them, and (4) if you need the advertised features (BERTopic/GPT), request a clear, auditable implementation and a trustworthy source/homepage. The current mismatch is likely a packaging/documentation error, but it could mislead you into exposing credentials unnecessarily.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fwmyng7xmr9af2m6h11wjpn83snkwnlpvk97fwmyng7xmr9af2m6h11wjpn83snkwsurveyvk97fwmyng7xmr9af2m6h11wjpn83snkw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binspython3

Comments