ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Selection Agent

全渠道选品 Agent — 关键词调研、SEO分析、竞品分析、TrendPlus数据。触发词:选品、关键词调研、SEO分析、竞品分析、keyword research、competitor analysis。执行前必须读取 AGENT_CONFIG.md。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 34 · 1 current installs · 1 all-time installs
by@lygjoey
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (keyword/SEO/competitor research) reasonably explains needing Semrush, FB Ads, Sheets, and a DB. However the skill metadata declares no required env vars or credentials while SKILL.md explicitly lists multiple sensitive keys and external dependencies. That mismatch is incoherent: either the metadata is incomplete or the skill is attempting to access secrets it didn't declare.
!
Instruction Scope
Runtime instructions demand reading /tmp/powerful-trendplus/AGENT_CONFIG.md, sourcing .env.local, and running python3 scripts/run_full_research.py — i.e., reading arbitrary local files and executing a local script. The instructions also reference multiple credential locations (~/.bashrc, system env, .env.local) and external data sources (sitemaps, CMS API, Notion DB). This goes beyond a simple API-integration description and grants broad access to host files and secrets.
Install Mechanism
Instruction-only skill with no install spec or code files. That lowers installer risk because nothing is automatically downloaded or written by an installer. The primary risk comes from runtime file access and execution, not an install step.
!
Credentials
SKILL.md expects multiple sensitive credentials (SEMRUSH_API_KEY, FB_ADS_TOKEN, NOTION_API_KEY, GEMINI_API_KEY, Google OAuth, MySQL creds) but the skill metadata lists none. It also suggests those secrets live in diverse locations (.env.local, system env, ~/.bashrc). Requesting many kinds of credentials across different services is disproportionate unless explicitly declared and justified in metadata.
!
Persistence & Privilege
The skill is not 'always: true', but its instructions cause the agent to execute an arbitrary local Python script. If the agent is allowed to invoke the skill autonomously, that script could perform any actions the agent's runtime permits (network calls, file reads/writes, secret exfiltration). This is a meaningful runtime privilege even absent installer persistence.
What to consider before installing
Do not enable this skill without verification. The SKILL.md instructs the agent to read /tmp/powerful-trendplus/AGENT_CONFIG.md, source .env.local, and run a local Python script — actions that can expose local secrets or execute arbitrary code. Before installing, ask the publisher to: (1) provide a trusted source URL and SHA256 for scripts; (2) update metadata to list all required env vars and explain why each is needed; (3) publish the AGENT_CONFIG.md and run_full_research.py for review. If you must test, do so in an isolated sandbox or VM, and avoid granting production credentials (move keys to a test account). If you do install, inspect /tmp/powerful-trendplus and .env.local contents and remove or redact any secrets you don't want the agent to access.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97axscacn4wm9wqzxzmxa7t7s83tx7n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Selection Agent Skill — 全渠道选品 Agent

触发条件

当用户提到"选品"、"关键词调研"、"SEO分析"、"竞品分析"、"keyword research"、"competitor analysis"时激活。

⚠️ 必读配置

执行前必须读取: /tmp/powerful-trendplus/AGENT_CONFIG.md 这里面写死了所有 Token、竞品列表、输出结构、环境变量,不要忘记!

快速执行

cd /tmp/powerful-trendplus
source .env.local 2>/dev/null
python3 scripts/run_full_research.py

环境变量(全部已配置)

变量状态
SEMRUSH_API_KEY✅ 系统环境变量
FB_ADS_TOKEN.env.local(App需 ads_read 权限)
NOTION_API_KEY✅ 系统环境变量(DB未授权)
GEMINI_API_KEY~/.bashrc

竞品列表(固定)

photoroom.com, remini.ai, fotor.com, picsart.com, faceapp.com, cutout.pro

去重数据源

  • A. Sitemap: https://art.myshell.ai/sitemap.xmlenpage.xml
  • B. CMS Base44: https://app.base44.com/api
  • C. Notion Bot DB: 1113f81ff51e802f8056d66c76a9f9e6(待授权)

固定输出结构

{
  "keyword": "...", "func_cn": "...", "kd": 42, "volume": 49500,
  "region": "US", "comp_url": "...", "comp_domain": "...",
  "coverage": "new|exists_sitemap|exists_cms|exists_notion|duplicate",
  "dedup_source": "", "fb_ads_count": 0, "fb_top_advertiser": "",
  "gap_score": 85.2, "priority": "high|medium|low"
}

项目仓库

https://github.com/Arxchibobo/powerful-trendplus

依赖

  • Semrush Skill(关键词数据)→ 需要 SEMRUSH_API_KEY
  • Google Workspace Skill(Sheets 输出)→ 需要 OAuth
  • MySQL Skill(内部数据对比)→ 需要数据库凭证

常见错误

错误原因处理
Semrush API 限额免费版有日请求上限减少关键词批量,分批查询
关键词为空查询词太窄或拼写错误放宽匹配,尝试同义词
Sheets 写入失败OAuth token 过期提示用户重新授权
超时大量关键词并发查询分批处理,每批 ≤20 个

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…