ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Citation Audit

v1.0.0

Analyzes how often a brand appears in AI search results (ChatGPT, Perplexity, Claude). Identifies citation gaps and content opportunities for GEO (Generative...

0· 53·2 current·2 all-time
by@1477009639zw-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose is to run 50–500+ queries across multiple AI platforms and produce comparative analysis. However, the manifest only requires python3 and declares no API keys, browser/web-scraping tools, or third-party credentials. Accessing ChatGPT/Claude/Perplexity/Gemini typically requires API keys or web access; the skill does not explain how these queries will be executed or what external access it needs.
Instruction Scope
SKILL.md specifies the high-level process (run 100+ queries, compare competitors, produce a report) but contains no runtime instructions for how to call the named AI platforms, how queries are constructed, where results are stored, or what user data is included in queries. The instructions do not request reading local files, but are vague enough to allow the agent to seek credentials or web access at runtime — that open-endedness increases risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk risk because nothing is downloaded or executed from external URLs by the skill itself.
!
Credentials
No environment variables or credentials are declared, yet the task normally requires access to multiple third-party APIs or a web-browsing capability. The absence of declared credentials is an incoherence: the skill will likely need API keys, session cookies, or a browser tool to function, but the manifest gives no indication which secrets it will request or why.
Persistence & Privilege
always is false and there is no indication the skill demands persistent system privileges or modifies other skills. Autonomous invocation is allowed (platform default) but that alone is not a red flag here.
What to consider before installing
This skill's goal (large-scale querying of ChatGPT/Perplexity/Claude/Gemini) normally requires API keys or web access, but the skill declares none — that's an inconsistency you should resolve before installing. Ask the publisher: (1) exactly how will queries be executed (APIs, scraping, or an agent browser tool)? (2) which credentials or tokens will the skill need, and where/how will they be stored? (3) what data is sent to external platforms and how long results are retained? (4) provide a privacy/security policy, an implementation README or code, and a verifiable homepage or publisher identity. Until you get clear answers, avoid supplying API keys, session cookies, or broad web-browsing privileges to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ffwrgvpq05k0tj69n147v5h83t3bj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3

Comments