ClawHub

Ahrefs Complete SEO Suite

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Ahrefs API documentation skill, but users should handle the required API token carefully.

Install only from the ClawHub/OpenClaw listing or a repository you trust. Use a rotatable Ahrefs API token, keep ~/.openclaw/workspace/.env private with restrictive permissions, avoid running commands that print the token, never paste token output into chats or tickets, and review broad or batch analyses before running them because they can consume Ahrefs API quota.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation guide tells users to run `grep AHREFS ~/.openclaw/workspace/.env`, which will print the Ahrefs API token in cleartext to the terminal. That creates a realistic risk of secret disclosure through terminal scrollback, screen sharing, logging, or copied output, especially in troubleshooting contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting example embeds a bearer token directly in a shell command, encouraging users to place secrets on the command line. Command-line secrets can be exposed through shell history, process listings, recordings, or copied terminal output, making accidental credential leakage more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README tells users to place a live Ahrefs API token in a local `.env` file but provides no guidance on keeping that secret out of version control, logs, screenshots, or shared workspaces. In a skill focused on API integrations, this omission increases the likelihood of accidental credential exposure, which could allow unauthorized API use, billing abuse, and access to SEO/account data permitted by the token.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to read and export a secret from a local `.env` file directly into shell commands without any credential-handling warning or safer secret-loading mechanism. In an agent setting, this normalizes secret access from the local workspace and increases the risk that tokens are exposed in logs, command history, process listings, or reused in unintended contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal