Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Opportunity Scout
v1.0.0Find profitable business opportunities in any niche by scanning Twitter, web, Reddit, and Product Hunt for unmet needs and pain points. Scores each opportuni...
⭐ 0· 381·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the included scoring script are coherent for an 'opportunity scout'. However SKILL.md tells the agent to run external CLIs (bird, clawdhub) and use web_search/Reddit/ProductHunt. The skill declares no required binaries, no install steps, and requests no credentials — yet the instructions assume availability of tools that normally require installation and stored credentials. That omission is an inconsistency that could cause the agent to use local CLI configs or fail unexpectedly.
Instruction Scope
Instructions focus on web/Twitter/Product Hunt/Reddit searches and scoring, which is within stated scope. However the SKILL.md explicitly instructs exec of 'bird' (Twitter CLI) and 'clawdhub' which are shell commands that will perform network calls and may read local CLI config (tokens). The skill does not instruct reading arbitrary local files or env vars, but execing CLIs can implicitly access local credentials/config — the instructions should document this behavior and required credentials.
Install Mechanism
No install spec is provided (instruction-only plus a small scoring script). That is lowest-risk from an installation/extraction perspective. The included Python script is straightforward and local-only (scoring/report generation) with no hidden network calls, obfuscation, or extraction behavior.
Credentials
The skill declares no required environment variables or credentials, yet it attempts to query services (Twitter) via a CLI that typically requires authentication. This is disproportionate: either credentials should be declared (and scoped) or instructions should use unauthenticated web_search calls. The implicit reliance on local CLI-auth (which may use stored tokens) is a privacy/credential risk that is not documented.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and contains no code that persists or escalates privileges. It appears to run only when invoked.
What to consider before installing
What to consider before installing: 1) The scoring script is benign and local-only — it just formats and ranks opportunities. 2) SKILL.md tells the agent to run external CLIs (notably 'bird' for Twitter and 'clawdhub') via shell exec; those tools typically require installation and stored credentials. The skill does not declare those prerequisites or any credential requirements, so the agent may try to use whatever local CLI config/tokens exist (which could expose or use your account). 3) If you plan to use this skill: verify what 'bird' and 'clawdhub' binaries do on your system, confirm where they read credentials from, and only run the skill in an environment where you trust those CLI configs. Alternatively, ask the skill to use authenticated API keys you control or to rely only on web_search queries (no exec). 4) Because the skill's source and homepage are unknown, exercise caution with network-enabled operations and prefer running it in a sandboxed agent or reviewing/limiting what tools the agent may exec.Like a lobster shell, security has layers — review code before you run it.
latestvk97f09zjys6zhxhm1kf1pnjfb1823jc0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.