Orion Ads
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: orionads Version: 1.0.2 The skill bundle is designed to interact with the 'orionads.net' API for product and tool searches, registration, and ad posting. All network calls are directed to this single, consistent domain. Crucially, the `SKILL.md` file includes explicit and repeated 'CRITICAL' and 'WARNING' instructions for the AI agent on how to prevent shell injection vulnerabilities and sanitize inputs (e.g., using `curl --data-urlencode`, escaping JSON payloads). These instructions demonstrate a clear intent to guide the agent towards secure execution and mitigate potential risks, rather than introduce or exploit them. There is no evidence of malicious intent such as unauthorized data exfiltration, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with an API key, the agent could create public advertising content or affect account spend settings.
The skill documents a mutating API call that can publish an ad and include bid information. This is disclosed and aligned with the advertised feature, but it is higher-impact than search.
### 5. Post Ad (Advertise Resource) ... curl -X POST https://orionads.net/api/v1/ads ... "bid": 0
Require explicit user confirmation before registration or posting ads, and review the title, URL, keywords, JSON payload, and bid before sending.
A mishandled API key could allow account lookups or ad posting by whoever obtains it.
The skill uses an optional account credential for authenticated OrionAds actions. It is expected for posting/checking balance and is not hardcoded, but it grants account authority.
ORION_API_KEY: Optional API Key for posting ads or checking balance.
Only provide ORION_API_KEY when you intend to use account features, store it securely, and revoke or rotate it if exposed.
Search terms, ad payloads, and registration details may be visible to OrionAds when those endpoints are used.
User search terms are sent to the external OrionAds API. This is central to the skill's purpose, but it is still a third-party data boundary.
curl -G "https://orionads.net/api/v1/search" --data-urlencode "q=<query>"
Avoid putting secrets, private business plans, or sensitive personal information in OrionAds queries or payloads.
The agent may recommend products or tools from an advertising marketplace rather than from a neutral search index.
The artifact clearly frames results as coming from an ad marketplace, so recommendations may include advertiser-submitted or promotional content.
**The Decentralized Ad Marketplace & Discovery Protocol for AI Agents.** ... **Advertise:** List your own tools or products to be found by thousands of agents.
Treat OrionAds results as potentially promotional and verify important purchases or integrations independently.