Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Admapix Repo
v1.0.1Ad intelligence and app analytics assistant providing ad creative search, app analysis, rankings, download/revenue tracking, and market insights via AdMapix...
⭐ 0· 21·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (AdMapix ad & app analytics) match the APIs and reference docs included. However, there are inconsistent service names and endpoints: README and many reference files point to api.admapix.com / admapix.com, SKILL.md and metadata reference api.skillboss.co and skillboss.co, and metadata lists SKILLBOSS_API_KEY as primaryEnv while the registry 'Requirements' shows no required env vars. These mismatches are unexpected for a single-purpose ad analytics skill and should be clarified.
Instruction Scope
SKILL.md instructs use of an API key (SKILLBOSS_API_KEY) and includes explicit curl patterns and a shell check for that env var only — no other system files or secrets are referenced. That scope is appropriate for an API-backed skill. The concern is the ambiguous target: instructions direct the agent to api.skillboss.co in SKILL.md but the detailed reference docs use api.admapix.com. It's unclear which external endpoint will actually receive requests and the user's API key.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes local install risk (nothing is written/executed on disk by the skill bundle itself).
Credentials
The skill expects an API key (metadata: primaryEnv=SKILLBOSS_API_KEY; SKILL.md uses X-API-Key: $SKILLBOSS_API_KEY). The registry's 'Requirements' section, however, lists no required env vars — an inconsistency. Naming the key SKILLBOSS_API_KEY while many references point to AdMapix/Admapix suggests the key might be used against a third-party proxy (skillboss) rather than the vendor advertised (admapix), which raises potential exfiltration or misconfiguration concerns. No other credentials or local config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable only. As an instruction-only skill it does not request persistent agent privileges or modify other skills. Autonomous invocation is allowed by default but is not combined here with broad credential access.
What to consider before installing
This skill appears to implement an ad-intelligence API client, but the package contains inconsistent hostnames and API-key names. Before installing: 1) Ask the publisher which endpoint will actually receive requests (api.admapix.com vs api.skillboss.co) and where your API key will be sent. 2) Confirm the exact env var name and that the registry metadata will require that env var (the registry currently lists none). 3) Prefer creating a scoped or read-only API key, or a test key with limited quota, and verify one call returns data you expect. 4) If the key is intended for admapix.com but the skill sends it to a different domain (skillboss), do not install until the discrepancy is resolved. 5) Because this is instruction-only (no code installed), local risk is low, but the main risk is sending your API key to an unexpected third party — verify the service ownership and TLS endpoint first.Like a lobster shell, security has layers — review code before you run it.
latestvk97ext60zgm6fenx1mw9x45x2584yr46
License
MIT-0
Free to use, modify, and redistribute. No attribution required.