ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Brand Analyzer

v1.0.0

Analyze brands to generate comprehensive brand identity profiles (JSON). Use when the user wants to analyze a brand, create a brand profile, or needs brand data for ad generation. Stores profiles for reuse across Ad-Ready, Morpheus, and other creative workflows. Can list existing profiles and update them.

2· 1.7k·1 current·1 all-time
byPaul de Lavallaz@pauldelavallaz·duplicate of @pauldelavallaz/brand-identity-analyzer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description align with the included code: the script and SKILL.md both describe researching brands, generating a JSON profile, and optionally saving it into an Ad-Ready catalog. However the registry metadata declares no required environment variables or primary credential, while both SKILL.md and scripts/analyze.py expect a GEMINI_API_KEY. The script also lists a dependency (google-genai) in a comment but the skill has no install spec — these mismatches are unexpected for a networked API integration.
Instruction Scope
SKILL.md explicitly instructs the agent to conduct web research (Google Search, Google Images, Pinterest), collect at least 10 campaign assets, and use them in visual analysis. That scope is plausible for the stated purpose, but it implies network access and potentially downloading/processing images. The instructions also direct auto-saving to a specific path (~/clawd/ad-ready/configs/Brands) which means the skill will write to the user's home directory. The SKILL.md forbids inventing official data and requires canonical locking, which is operationally strict but not a security issue by itself.
!
Install Mechanism
There is no install specification even though scripts/analyze.py declares a dependency (google-genai>=1.0.0) in its header comments. Because the skill has a runnable Python script that expects a third-party package, an explicit install step is normally required. The absence of an install spec is an inconsistency (may cause runtime failure or require the platform to install packages implicitly). There is no download-from-URL or other high-risk installer present.
!
Credentials
The runtime clearly requires a GEMINI_API_KEY (SKILL.md examples and get_api_key() in the script), but the registry lists no required env vars or primary credential — this is a direct mismatch. Aside from that single API key, no other secrets are requested. The skill will also write files into the user's home directory (AD_READY_BRANDS_DIR), which is proportionate to its purpose but should be noted.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not request system-wide configuration changes. Its only persistence behavior is auto-saving JSON files to a subdirectory under the user's home (~/clawd/ad-ready/configs/Brands or AD_READY_BRANDS_DIR). This is expected for an integration that provides reusable brand profiles and is not, by itself, excessive privilege.
What to consider before installing
This skill appears to do what it says (generate and save brand JSON profiles), but there are several red flags you should address before installing or running it: - The skill’s registry metadata does NOT declare the GEMINI_API_KEY environment variable, yet both SKILL.md and the script require it. Confirm you are comfortable providing that API key and that the skill source is trustworthy. - The Python script advertises a dependency (google-genai) but there is no install specification. Ask how/where dependencies will be installed and consider running inside an isolated environment (container or VM) to avoid unexpected package installs. - The script and instructions require web research (Google Images, Pinterest). Confirm what data the skill will fetch and whether any downloaded images or scraped content might include sensitive material. If you want to limit network exposure, run in a sandboxed environment or on a host with controlled egress. - The script will write files to ~/clawd/ad-ready/configs/Brands by default. If you use --auto-save, check the target path (or override AD_READY_BRANDS_DIR) to avoid accidental overwrites of important files. - The provided analyze.py appears truncated in the package you gave (it ends mid-prompt). Obtain and review the complete script before running — incomplete code could hide additional behavior or simply fail at runtime. Recommended steps: request the full source, ask the publisher to update registry metadata to list GEMINI_API_KEY and dependency/install info, review the complete script for any unexpected network endpoints or uploads, and test first in an isolated sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ypd1p8a2aa9fxqsnkz82hd80km1f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments