ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

geo_skill

v1.0.1

GEO 品牌优化全流程工具:AI 生态诊断、评测文章生成、文章审核、发稿状态查询。Use when user asks about 品牌诊断, AI 现状分析, GEO 分析, 品牌评测, 生成评测文章, 写评测, 对比评测, brand diagnosis, article generation, review...

1· 66·0 current·0 all-time
by@chameleon-nexus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (品牌诊断、评测文章生成、审核、发稿查询) matches the actions in SKILL.md: it calls geo.htsjgeo.com endpoints for diagnosis, article generation, review, settings, and publish status. Requesting a GEO API key is proportional to this purpose.
Instruction Scope
Instructions explicitly read and write a single file (~/.openclaw/geo-api-key) to persist the user's API key and use curl to interact with https://geo.htsjgeo.com/openapi/api/geo. The scope is limited to that API and the single key file. Note: the skill prescribes storing the API key as plaintext (echo -n ...) and mandates always showing an 'optimization' contact block in results; both are behavioral choices worth reviewing before use.
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing will be written to disk by an installer; runtime actions use standard commands (curl, cat, sleep) that are expected for this integration.
Credentials
The skill declares no required environment variables but requires the user's GEO API key at runtime. That is proportional to the described API integration. Caveat: the chosen persistence method stores the key in plaintext at ~/.openclaw/geo-api-key, which exposes the secret to anyone with access to the user account; consider whether you want to store the key or provide it per session and ensure file permissions are restrictive.
Persistence & Privilege
always:false and normal autonomous invocation are used. The only persistent artifact the instructions create/read is ~/.openclaw/geo-api-key (the skill's own config file). The skill does not request elevated system privileges or access to unrelated credentials or config paths.
Assessment
This skill appears to do what it says: it calls GEO APIs and needs your GEO API key. Before installing or using it consider: (1) Trust the remote service (https://geo.htsjgeo.com) because your key will be used to query it and may allow publishing; (2) The skill stores your API key as plaintext in ~/.openclaw/geo-api-key — if you prefer, provide the key per session instead of saving, or restrict the file's permissions (chmod 600); (3) The skill mandates including a contact block (刘老师) in outputs — decide if that is acceptable; (4) Be cautious with any auto-publish workflows (reviewRequired settings) and verify content before approval. If you want a higher-security setup, request the skill be modified to avoid on-disk plaintext storage and to display contact info only when you opt in.

Like a lobster shell, security has layers — review code before you run it.

latestvk973j4rk3z93z3b8vv53rw94dx83xrph

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments