ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AnalyticLunch

v1.0.0

Query live traffic data, tracking links, and weekly reports from AnalyticLunch

0· 46·0 current·0 all-time
by@dandyer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and listed API endpoints align with a traffic/competitive-intel integration that legitimately needs an API key. However, the package has no listed homepage or source and the publisher is unknown, which reduces provenance and trust.
Instruction Scope
SKILL.md keeps scope narrow: it tells the agent to call analyticlunch.com endpoints and always include an x-api-key header. It does instruct using shell exec with curl (expected for an instruction-only skill). One inconsistency: the document says the API key comes from config (skills.entries.analyticlunch.apiKey) but all curl examples use the environment variable $ANALYTICLUNCH_API_KEY — this ambiguity could cause the agent to look in the wrong place for credentials.
Install Mechanism
There is no install spec and no code files — instruction-only skills are lower risk because nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares one required config path for an API key (skills.entries.analyticlunch.apiKey), which is proportional. It does not declare any required environment variables, but examples reference $ANALYTICLUNCH_API_KEY (undeclared) — this mismatch should be clarified before trusting credentials.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent or system-wide privileges or modify other skills' configs.
What to consider before installing
This skill appears to be a simple API wrapper for AnalyticLunch and only needs an API key, but the author/source is unknown and the SKILL.md mixes configuration styles. Before installing: 1) Verify the vendor/domain (analyticlunch.com) and confirm you trust it. 2) Prefer storing the API key in the declared config path (skills.entries.analyticlunch.apiKey) rather than an undeclared environment variable; ask the author to fix the examples if needed. 3) Ensure the API key has minimal scope and rotate/revoke it if you stop using the skill. 4) Because the skill uses shell exec with curl, run it in an environment where leaking other secrets is unlikely (avoid exposing other env vars). 5) If you need higher assurance, request source or a homepage, or prefer an official integration/SDK from a verifiable vendor.

Like a lobster shell, security has layers — review code before you run it.

latestvk978kwxmwebz5yaccc9stwmrkd83m2wy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Configskills.entries.analyticlunch.apiKey

Comments