ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Attentionmarket

v1.1.0

Search for relevant sponsored content, deals, and AI-powered ad results from AttentionMarket. Use when the user asks about deals, promotions, sponsored sugge...

0· 116·0 current·0 all-time
byAmin Ambike@aminambike
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (search sponsored content) aligns with requiring an AM_API_KEY and using curl/jq to call an API. However the runtime endpoint used (peruwnbrqkvmrldhpoom.supabase.co) does not match the advertised homepage (dashboard.attentionmarket.ai). Using a Supabase function backend can be legitimate, but the domain mismatch is worth verifying with the provider.
!
Instruction Scope
SKILL.md instructs the agent to run an included setup script that prompts the user for email/password, authenticates with Supabase, fetches a developer API key, and writes it to ~/.clawdbot/.env. That flow requires collecting user credentials and persisting a secret to disk — behavior outside a simple read-only query skill. The SKILL.md also instructs a specific path to run the script (bash ~/clawd/skills/attentionmarket/scripts/setup.sh) which appears inconsistent with the included file layout and may fail or cause confusion.
Install Mechanism
There is no external install spec (instruction-only), which is low-risk, but the bundle includes a setup.sh script that will be executed. No remote downloads or archive extraction are performed by the skill itself.
Credentials
The only declared primary credential is AM_API_KEY, which is appropriate for an API-driven integration. The setup script, however, hardcodes a Supabase anon key and will ask for the user's email/password (interactive) to retrieve and store the API key — this is proportionate if the user understands and trusts the backend, but collecting credentials and persisting the resulting API key increases risk and should be verified.
!
Persistence & Privilege
The skill is marked always:true, meaning it will be force-included in every agent run — a significant privilege with network access. Combined with the setup script writing AM_API_KEY to ~/.clawdbot/.env and exporting it, this persistence increases blast radius if the skill or backend is compromised. There is no justification in the SKILL.md for always:true.
What to consider before installing
What to check before installing or using this skill: - Confirm the backend: the skill calls a Supabase domain (peruwnbrqkvmrldhpoom.supabase.co) rather than the advertised attentionmarket.ai domain. Verify with the vendor that this is their official API host. - Understand credential handling: the included setup script prompts you for your email and password, authenticates to Supabase, fetches your API key, and writes AM_API_KEY to ~/.clawdbot/.env. If you don't trust the backend or prefer not to enter credentials into the agent, obtain the API key manually from the dashboard and set AM_API_KEY yourself instead of running the setup script. - Always:true is risky: this skill is enabled in every agent run. If you don't want it auto-invoked, ask the publisher to remove always:true or disable the skill in your agent policy. - Path/instruction inconsistencies: SKILL.md references a hardcoded path (~/clawd/...) that doesn't match the bundle layout; expect possible command failures. Review the setup.sh contents locally before executing it. - If you proceed, review the setup.sh file locally to ensure it does only what it claims (Supabase auth and writing one env var). Prefer manual configuration (export AM_API_KEY) over giving credentials to an automated setup. Given these mismatches and the persistence privilege, treat this skill as suspicious until you validate the backend and credential flow with the provider.

Like a lobster shell, security has layers — review code before you run it.

adsvk97bqrwkj1th4fqwd4zq7j16vh83fnm1dealsvk97bqrwkj1th4fqwd4zq7j16vh83fnm1foodvk97bqrwkj1th4fqwd4zq7j16vh83fnm1latestvk97bqrwkj1th4fqwd4zq7j16vh83fnm1promotionsvk97bqrwkj1th4fqwd4zq7j16vh83fnm1sponsoredvk97bqrwkj1th4fqwd4zq7j16vh83fnm1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binscurl, jq
Primary envAM_API_KEY

Comments