ClawHub

Census

v1.0.0

US Census Bureau — population, demographics, ACS data, economic indicators, and geographic data.

0· 464·0 current·0 all-time
by@aiwithabidi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The script implements Census API endpoints (api.census.gov) appropriate for the skill's name and description. However, the package declares CENSUS_API_KEY as the primary credential but the code never actually uses that key when building requests (no 'key' param or auth header). The SKILL.md even describes the key as 'optional' while metadata marks it required — inconsistent.
!
Instruction Scope
SKILL.md and Quick Start only instruct running the included script against the Census API (expected). The script contains a helper get_env() that will read an .env file from WORKSPACE or ~/.openclaw/workspace/.env if present — this file access is not documented in SKILL.md and the declared required config paths are 'none'. The get_env() helper is defined but never called, so the behavior is dead code today; nonetheless the presence of undocumented filesystem access is a scope concern and should be clarified or removed.
Install Mechanism
No install spec (instruction-only with a small Python script) and the script uses only Python stdlib and standard HTTPS calls. This is low-risk from an install mechanism perspective.
!
Credentials
The skill declares a single environment variable CENSUS_API_KEY (primary credential). The code does not consume that environment variable for API requests, and instead contains logic to look for env values inside a .env file under WORKSPACE or ~/.openclaw/workspace (WORKSPACE itself is read from environment). The declared env usage and actual env/file access are inconsistent — the skill asks for a credential it doesn't use and references additional environment/config paths that are not documented in metadata.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false). It does not modify other skills or system-wide settings in the provided code. No persistence/privilege escalation observed.
What to consider before installing
This skill appears to implement Census API calls and only contacts the official api.census.gov endpoint, but there are mismatches you should resolve before trusting it with credentials. The metadata asks for CENSUS_API_KEY as the primary credential but the script does not attach that key to requests — either the author forgot to use the key (so providing one won't help) or the implementation is incomplete. The script also contains a helper that will read a .env file from WORKSPACE or ~/.openclaw/workspace (and reads WORKSPACE env) even though no config paths are declared; that behavior is currently unused but surprising. Recommendations: (1) Ask the publisher to clarify whether the CENSUS_API_KEY is required and to show how/where it is used (the script should add the key as the 'key' query parameter or equivalent). (2) Ask them to remove or document the .env / WORKSPACE lookup, or declare the config path in metadata. (3) Until clarified, avoid placing any high-privilege or unrelated secrets in the agent environment; only provide a Census API key if you trust the publisher and they demonstrate the key is used for the intended purpose. If you need the functionality but want to be cautious, run the script locally in an isolated environment and inspect network traffic to confirm it only calls api.census.gov.

Like a lobster shell, security has layers — review code before you run it.

latestvk972y8gs2n544kvw38ftm5h2t581j4z6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
EnvCENSUS_API_KEY
Primary envCENSUS_API_KEY

Comments