Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Syndicate Links
v1.0.0Turn your agent into an affiliate earner. Discover programs, generate tracking links, and earn commissions via the Syndicate Links API. Supports Stripe + Bit...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (affiliate links / generate tracking links) match the included SKILL.md and setup script: both register an affiliate, call the Syndicate Links API, save an API key, and provide endpoints for generating links and checking balances. No unrelated credentials or cloud services are requested.
Instruction Scope
Instructions tell the agent to register, save an API key at ~/.config/syndicate-links/api-key, call various Syndicate Links endpoints, and to replace direct product URLs with tracking links when recommending products. This is coherent with the monetization purpose, but the automatic replacement of URLs means the agent may insert affiliate links into user-facing responses — consider disclosure/policy implications. The instructions also cause network calls to an external service (syndicatelinks.co), which is expected but worth noting.
Install Mechanism
There is no install spec that downloads or executes remote code. The only executable provided is a small setup.sh included in the skill archive; it runs locally and makes HTTPS API calls. No archive downloads or third-party package installs are performed.
Credentials
The skill declares no required env vars or primary credential, and indeed stores the API key in a config file rather than an env var. However, the setup script reads optional OPENCLAW_AGENT_NAME and OPENCLAW_AGENT_EMAIL (falling back to hostname and a generated email), which will be sent to the external service during registration and may reveal local hostname. The SKILL.md and examples use curl, jq and python3, but the package metadata lists no required binaries — this metadata omission should be fixed or you should ensure those utilities exist. Storing the API key in ~/.config/syndicate-links/api-key is expected, but review file permissions and lifecycle (revocation) policies.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. It writes only to its own config path (~/.config/syndicate-links) and stores the API key there, which is reasonable for its function. The skill can be invoked autonomously (default), which is normal — combine that with the monetization behavior when deciding whether to enable autonomy.
Assessment
What to consider before installing:
- Confirm you trust syndicatelinks.co (verify the domain and privacy/terms) before giving it any agent-identifying info or an API key.
- The setup script will register an account and save an API key to ~/.config/syndicate-links/api-key; inspect and run the script manually rather than blindly executing it.
- The script may send your hostname (used to form an email) during registration; if that leaks sensitive info for you, set OPENCLAW_AGENT_NAME or OPENCLAW_AGENT_EMAIL before running or edit the script.
- Ensure curl, python3 (and optionally jq if you use examples) exist on the host; the skill metadata doesn't list these binaries.
- Decide whether you want your agent to automatically replace direct links with affiliate tracking URLs and disclose that to end users; if not, avoid enabling autonomous invocation or modify the agent’s response templates.
- Check file permissions on ~/.config/syndicate-links/api-key and have a plan to revoke the API key if needed.
If you want to be more cautious, run the setup steps manually, review the responses from the remote API, and only then allow the skill to run autonomously.Like a lobster shell, security has layers — review code before you run it.
latestvk97c4hvgmcr6xma6ndzay5rwhd83kp4d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.