Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Geo Event Router
v1.0.0Analyzes, classifies, scores, and routes geostrategic news events using multi-factor scoring and optional LLM semantic analysis for push decision-making.
⭐ 0· 41·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the provided code: functions for detecting event type, fingerprinting, multi-factor scoring, and optional LLM analysis are present. However SKILL.md references a local config.py and a push/dispatch behavior (push decisions) but no config.py is included and there is no visible push transport or delivery implementation in the provided file fragment. The SKILL.md lists dependencies (llm_news_analyzer, geo_market_impact_mapper) that are plausible for the purpose, but their provenance is unknown.
Instruction Scope
SKILL.md provides a narrow Python-API usage guide that stays within the stated domain (detect, score, fingerprint, decide). It does not instruct the agent to read unrelated system files or environment variables. Concern: SKILL.md and the code indicate optional LLM analysis and external market mapper usage but do not explain what data flows to those modules or whether they perform network calls; the skill's instructions do not declare that external services or credentials may be required.
Install Mechanism
No install spec (instruction-only with a single Python module). That minimizes install-time risk because nothing is downloaded or installed automatically by the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials, yet depends (optionally) on external packages that commonly require API keys (LLM analyzers or market-data mappers). Those credentials are not declared or explained. This is a proportionality concern because the code could end up calling external services without the SKILL.md listing required env/config or warning about data sent to third parties.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. It does not request persistent system privileges or declare changes to other skills' configurations in the provided material.
What to consider before installing
This skill appears to implement the event-detection and scoring it claims to do, but there are gaps you should clear up before installing or running it with real data:
- Missing files: SKILL.md references a config.py and mentions push/dispatch behavior, but config.py is not included and no delivery/push implementation is visible. Ask the author for the missing config and the code path that actually sends/dispatches pushes.
- External dependencies: The skill optionally imports llm_news_analyzer and geo_market_impact_mapper. Those modules may perform network calls or require API keys. The skill does not declare required environment variables or where data is sent. Confirm the provenance of those packages and whether they transmit news text to remote services (and whether they require credentials).
- Data exfiltration risk: Even though this bundle itself has no declared network calls, the optional LLM analyzer could send news content to a third-party LLM service. Do not run it on sensitive data until you inspect or vendor-audit those dependencies.
- Test safely: Run the code in a sandboxed environment with representative but non-sensitive input. Enable logging/inspection (or monkeypatch analyze_semantic) to observe outbound network activity before allowing it access to production data.
If the publisher can provide the missing config.py, a clear list of required environment variables (if any), and the source/license/provenance of the optional dependencies, the remaining concerns would be largely addressable.Like a lobster shell, security has layers — review code before you run it.
latestvk979220qgnm780e1tt8xkt6ry583pdwf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.