ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Phishing Kit Detector

v1.4.0

Detects phishing kit artifacts, brand impersonation, suspicious JavaScript, and infrastructure on URLs or local HTML to identify phishing kit clones.

0· 99·0 current·0 all-time
by@snipercat69

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snipercat69/edgeiq-phishing-kit-detector.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Phishing Kit Detector" (snipercat69/edgeiq-phishing-kit-detector) from ClawHub.
Skill page: https://clawhub.ai/snipercat69/edgeiq-phishing-kit-detector
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install edgeiq-phishing-kit-detector

ClawHub CLI

Package manager switcher

npx clawhub@latest install edgeiq-phishing-kit-detector
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The core functionality (HTML/JS analysis, URL fetching, brand signatures) matches the phishing-detector purpose. However, the bundle includes a separate licensing module that reads ~/.edgeiq/license.key and ~/.edgeiq/stripe_licenses.json and accepts EDGEIQ_EMAIL as a license shortcut; these side-effects are not declared in the registry metadata (which lists no required config paths or env vars). Reading/writing those files is outside the stated primary purpose and should be disclosed.
!
Instruction Scope
SKILL.md shows how to run scans and mentions using EDGEIQ_EMAIL to enable Pro features, but it does not call out that the code will read a license file in the user's home directory or accept an email as a license. The code will also fetch arbitrary remote URLs (expected for a scanner) — which is appropriate for the purpose but increases risk if run against unknown domains. The instructions do not disclose all data accesses performed by the included code.
Install Mechanism
There is no network install step or downloaded archive in the registry metadata; the skill is instruction-only with code files included. That is lower-risk than remote downloads. No package managers or external installers are invoked by the provided instructions.
!
Credentials
The registry declares no required env vars or credentials, yet both code files check the environment variable EDGEIQ_EMAIL and read license files under the user's home directory to enable Pro/Bundle features. Asking users to set EDGEIQ_EMAIL to unlock features is an unconventional and undeclared mechanism; reading home-directory files without declaring them is disproportionate to 'scan a URL' and should be explicit.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges. The only persistent artifact is the expected ~/.edgeiq/ license files accessed by the licensing module; the skill does not appear to modify other skills or global agent config.
What to consider before installing
This skill appears to implement phishing detection, but before installing or running it you should: 1) inspect the included files (phishing_detector.py and edgeiq_licensing.py) yourself or in a sandbox — they read/write ~/.edgeiq/*. 2) Be cautious about setting EDGEIQ_EMAIL to unlock Pro features — that acts as a license bypass and is not a standard API key. 3) Run scans only on domains you control or are authorized to test (the tool will fetch remote URLs). 4) If you plan to pay for 'Pro' or 'Bundle', verify the vendor identity and Stripe links; the repository/homepage information in the skill is sparse. 5) Prefer running the tool in an isolated VM or container and monitor outbound network traffic to ensure no unexpected exfiltration to unknown endpoints. If you want higher assurance, ask the publisher for a canonical source (Git repo or homepage) and a clear privacy/telemetry statement.
phishing_detector.py:377
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dyddj30892hwvzz1gg3d75s85h78h
99downloads
0stars
4versions
Updated 3d ago
v1.4.0
MIT-0
@snipercat69
latest
Download

Phishing Kit Detector

Skill Name: phishing-kit-detector Version: 1.0.0 Category: Security / Phishing / OSINT Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Detects phishing kit artifacts, brand impersonation, form action URLs, stolen branding, suspicious JavaScript, and credential harvesting infrastructure. Analyzes live URLs or local HTML dumps to determine if a page is a phishing kit clone.

⚠️ Legal Notice: Only analyze domains you own or have explicit written authorization to audit. Not for unauthorized scanning of third-party sites.

Features

  • Phishing artifact detection — form action URLs pointing to credential capture endpoints, hidden fields, credential autocomplete
  • Brand impersonation analysis — detects brand logos, CSS frameworks, and imagery copied from legitimate sites
  • Infrastructure fingerprinting — shared/free hosting detection, suspicious TLDs, URL path patterns
  • JavaScript analysis — credential harvesting scripts, redirect chains, keyloggers, obfuscated callbacks
  • Stolen branding detection — references to legitimate brand assets, fake SSL badges, trust seals
  • URL structure analysis — phishing-specific URL path patterns (login, account, verify, secure)
  • JSON export — structured forensic report

Tier Comparison

FeatureFreeLifetime ($39)Optional Monthly ($7/mo)
URL scan✅ (5 scans)✅ (unlimited)✅ (unlimited)
Local file scan
Brand impersonation check
JS analysis
Infrastructure fingerprinting
Stolen branding detection
JSON export

Installation

cp -r /home/guy/.openclaw/workspace/apps/phishing-kit-detector ~/.openclaw/skills/phishing-kit-detector

Usage

Basic URL scan (free tier)

python3 phishing_detector.py --url "https://suspicious-site.com/login"

Local HTML file scan (Pro)

EDGEIQ_EMAIL=your_email@gmail.com python3 phishing_detector.py \
  --file /path/to/phishing_page.html --pro

Brand impersonation check (Pro)

python3 phishing_detector.py --url "https://fake-paypal.com" \
  --brands paypal,amazon,apple --pro

Full bundle analysis + JSON export

EDGEIQ_EMAIL=your_email@gmail.com python3 phishing_detector.py \
  --url "https://phishing-site.net" --bundle --output report.json

Parameters

FlagTypeDefaultDescription
--urlstringPhishing URL to analyze
--filestringPath to local HTML file
--brandsstringComma-separated brand list (paypal,amazon,apple,google,microsoft,facebook,instagram,twitter,netflix,linkedin)
--proflagFalseEnable Pro features
--bundleflagFalseEnable Bundle features
--outputstringWrite JSON report to file

Brand List

Supported brands for impersonation detection: paypal · amazon · apple · google · microsoft · facebook · instagram · twitter · netflix · linkedin · ebay · salesforce · dropbox · slack · zoom · steam · epic games · steam · yahoo · cnn · chase · bank of america · wells fargo · capital one

Output Example

=== Phishing Kit Detector ===
Analyzing: https://fake-paypal.com/account/verify

  🔴 PHISHING KIT DETECTED (98% confidence)
  
  Artifact Analysis:
    Form action → credential harvest endpoint detected
    Hidden field → password re-entry field (credential capture)
    Credential autocomplete → enabled on sensitive fields
    Multiple forms → login + payment + PIN entry

  Brand Impersonation:
    Detected: PayPal (logo, CSS framework, brand colors)
    Stolen assets: 3 CSS files, 2 images from paypal.com
    Fake SSL badge detected

  Infrastructure:
    Free hosting provider detected (Freenom .tk domain)
    Suspicious TLD: .tk — commonly used in phishing
    Redirect chain: 2 hops before landing page
    Shared hosting IP — multiple malicious sites on same IP

  JavaScript Findings:
    Credential harvester script detected
    Keylogger injection found
    Redirect to: paypal.com.legit-site.ru

  Threat Level: CRITICAL — Sophisticated phishing kit with credential harvesting + keylogger

Pro Upgrade

Full phishing kit analysis + brand impersonation + JS analysis + infrastructure fingerprinting:

👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

  • 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
  • 📸 Screenshot API — URL-to-screenshot API for developers
  • 🔔 uptime.check — URL uptime monitoring with alerts
  • 🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

Comments

Loading comments...