ClawHub

LLM Signal GEO Analyst

v0.1.0

Run LLM Signal GEO analyst workflows from OpenClaw. Use when you need to fetch deterministic GEO action plans, check site health status, and execute/review h...

0· 194·0 current·0 all-time
by@immythz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested resources: the skill talks to LLM Signal agent endpoints and requires LLMSIGNAL_BASE_URL, LLMSIGNAL_SITE_ID, and LLMSIGNAL_API_KEY and curl/bash/sh to run the included scripts. Required binaries and env vars are proportional to the declared purpose.
Instruction Scope
SKILL.md and prompts direct the agent to call /api/agent/v1/plan and /api/agent/v1/status and to persist runs. The instructions do not request unrelated files or credentials. Two operational issues: (1) the templates and scripts include the API key in the JSON body (and also send it as a header), and (2) executing curl with the API key embedded in the command line can expose the key in process lists or shell history. Both are scope-consistent but increase secret exposure risk.
Install Mechanism
No install spec is present (instruction-only + bundled scripts). No downloads or external install sources are used, which minimizes supply-chain risk.
Credentials
The declared environment variables are strictly the service base URL, site id, and API key — appropriate for an API-integration skill. However, the API key is duplicated into the request body and sent with persist=true, which means the key (and run content) may be stored on the remote service; this increases exposure beyond typical header-only authentication and should be justified or removed.
Persistence & Privilege
always is false and the skill is user-invocable. Persisting run history is a declared behavior (persist=true) that applies to the remote service; the skill does not request elevated platform privileges or modify other skills' configs.
Scan Findings in Context
[pre-scan-injection-signals] expected: No pre-scan injection signals detected. This is expected for a small instruction+script package.
Assessment
This package appears to do what it says: call your LLM Signal endpoints and return action plans. Before installing, consider the following: (1) the scripts embed your API key in the JSON payload and in the curl command — that means the key (and any persisted run history) may be stored on the remote service and the key could be exposed in local process lists or shell history. Prefer sending only an authentication header and avoid including the key in request bodies if the service accepts header auth. (2) Avoid running these scripts on multi-tenant/shared hosts where process args are visible, or use safer calling patterns (e.g., pass JSON on stdin or use .netrc/token files) to avoid command-line leakage. (3) Confirm what 'persist=true' stores on the vendor side; if it stores full payloads, do not include secrets in those payloads. (4) Use a least-privilege/rotatable API key for LLMSIGNAL, and rotate it if you decide to remove the skill. These are operational hygiene items — the skill's requested resources are otherwise consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

agentvk971vkk8m2a433mapbs9sm2cvn82ey29geovk971vkk8m2a433mapbs9sm2cvn82ey29latestvk971vkk8m2a433mapbs9sm2cvn82ey29llm-signalvk971vkk8m2a433mapbs9sm2cvn82ey29seovk971vkk8m2a433mapbs9sm2cvn82ey29

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any bincurl, bash, sh
EnvLLMSIGNAL_BASE_URL, LLMSIGNAL_SITE_ID, LLMSIGNAL_API_KEY
Primary envLLMSIGNAL_API_KEY

Comments