ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Market Research Litiao

v1.0.0

Size markets, analyze competitors, and validate opportunities with practical frameworks and free data sources. Uses Tavily API (preferred) for research.

0· 128·1 current·1 all-time
by@litiao1224
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description say it uses the Tavily API and the declared requirement is TAVILY_API_KEY — that's coherent. However, the SKILL.md instructs running node scripts in ~/.openclaw/workspace/skills/tavily-search-litiao which are not part of this package; relying on an external, undeclared companion script is surprising and should be justified.
Instruction Scope
Instructions are generally scoped to market research tasks and reference only the Tavily key. They do, however, instruct the agent to cd into a specific user-home path and run local Node scripts (node scripts/search.mjs ...). Those filesystem/command instructions reference code that isn't present in this skill and could cause the agent to attempt to execute arbitrary local scripts if those files exist — the SKILL.md should explain the relationship to the referred scripts or include them.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in itself. The lack of an install step also explains why the referenced Node scripts are missing from this package — but that missing piece is the main concern, not the install mechanism.
Credentials
Only TAVILY_API_KEY is declared as required, and Tavily is explicitly the preferred data source. Requesting that single API key is proportionate to the stated purpose; no unrelated secrets or broad credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges. Autonomous invocation is permitted (platform default) but not combined with other red flags here.
What to consider before installing
This skill appears to legitimately use Tavily for market research and only requests a Tavily API key, which is reasonable. However, the runtime instructions expect you to run node scripts under ~/.openclaw/workspace/skills/tavily-search-litiao that are not included here — ask the publisher what those scripts are or whether you need a companion 'tavily-search' skill. Before installing or providing TAVILY_API_KEY: (1) verify the source/publisher and confirm where the referenced Node scripts come from, (2) inspect any companion scripts for unexpected behavior before running them, (3) consider creating a limited/rotatable Tavily key or testing in a sandbox account, and (4) avoid granting unrelated credentials or running unknown local scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk975y9nhzv1se0aam2gpzb81r9832rm2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
EnvTAVILY_API_KEY

Comments