Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ai-sbti-skill-test
v1.0.0AI-based SBTI skill test SEO operations for https://aisbti.com/ with weighted backlink scoring, internal link-juice relay planning, and safe anchor distribut...
⭐ 0· 80·0 current·0 all-time
byWeiping Cai@cweiping
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, CSV templates, and the Python planner align with a backlink-prioritization tool for aisbti.com. The included scripts only parse CSVs and produce markdown/JSON outputs — functionality is coherent with the stated SEO planning purpose. However, SKILL.md instructs storing 'credentials' in a secrets file even though none of the code requires API keys or external services; that guidance is not justified by the planner itself.
Instruction Scope
Runtime instructions ask you to copy a runtime env template into /root/.openclaw/workspace/.secrets and warn 'Never store credentials under skills/'. The runner script will source and export any variables found in that file. The code does not use network calls or external endpoints, so the requirement to place credentials in a secrets file is vague and unnecessary for the planner-only workflow. Also, SKILL.md's quick-start copies from skills/ai-sbti-skill-test/config/ai-sbti-skill-test.env.example but that file is not present in the package (missing template) — a coherence issue.
Install Mechanism
No install spec is provided; this is an instruction-only skill with local scripts. No external downloads or package installs are performed by the bundle itself, which is the lowest-risk install profile.
Credentials
The package declares no required environment variables or credentials, yet SKILL.md and the bash runner encourage keeping a secrets file in /root/.openclaw/workspace/.secrets and the runner will source and export it. The planner only needs file paths and simple flags; requiring or advising arbitrary credentials is disproportionate. Sourcing an unspecific secrets file could expose platform tokens or unrelated secrets to the process environment if the user follows the instructions without auditing the file.
Persistence & Privilege
always is false; the skill does not request persistent or platform-wide privileges, and it does not modify other skills or system-wide agent settings. Autonomous invocation is allowed by default but not combined with other elevated privileges here.
What to consider before installing
This skill appears to implement an offline backlink scoring and relay planner and contains no network calls, but the SKILL.md asks you to place a 'secrets' env file in /root/.openclaw/workspace/.secrets and the runner will source and export all variables from that file. Before installing or running: 1) Open and inspect any env file you put into that path — do not copy credentials you don't understand. 2) Note the package does not include the referenced config/ai-sbti-skill-test.env.example file (SKILL.md references a template that is missing) — ask the author or create a minimal env with only the specific flags you need (SITE_URL, INPUT_CSV, etc.). 3) Prefer running the Python script with explicit command-line flags pointing to local CSVs in an isolated environment rather than sourcing an opaque secrets file. 4) If you plan outreach or automated submission steps (not present here), ensure those components are separate and audited; do not store platform-level API keys or cloud credentials in the advised secrets file. 5) If you want higher assurance, run the scripts in a sandbox, and consider removing the source/ export behavior (the 'set -a; source ENV; set +a' block) or restrict the env file to non-sensitive parameters.Like a lobster shell, security has layers — review code before you run it.
latestvk976cby7hpfkax4xbaespny6xd84ht17
License
MIT-0
Free to use, modify, and redistribute. No attribution required.