Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Industry Research
v1.0.0When the user wants to conduct industry research, keyword research for a campaign, search demand analysis, intent mapping, audience research, or understand w...
⭐ 0· 81·1 current·1 all-time
byMario Karras@mariokarras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md explicitly orchestrates Ahrefs, Firecrawl, and Exa (including mcporter/MCP usage and Ahrefs REST API), which legitimately require an AHREFS_API_KEY and presence of exa.js/firecrawl.js/built tools. The registry metadata, however, lists no required binaries, no required env vars, and no install spec. That mismatch is disproportionate and unexplained.
Instruction Scope
Runtime instructions instruct the agent to (1) read local files (.agents/product-marketing-context.md or .claude/product-marketing-context.md) if present, (2) run external commands (exa.js, firecrawl.js, mcporter/MCP), (3) call Ahrefs endpoints with Authorization: Bearer $AHREFS_API_KEY, and (4) write an output artifact into .agents/industry-research-{client}.md. Reading local context files and calling external tooling is reasonable for research, but the instructions reference resources (env var and binaries) not declared in the skill metadata and thus grant the agent broad, vaguely-specified discretion.
Install Mechanism
This is an instruction-only skill (no install spec), which is low-risk in isolation. However, the instructions depend on third-party CLIs (exa.js, firecrawl.js) and optionally an MCP server; because there's no install spec, the skill assumes those tools already exist on the host. That implicit dependency increases operational risk and should be made explicit in the manifest.
Credentials
The SKILL.md requires using AHREFS_API_KEY (Authorization: Bearer $AHREFS_API_KEY) if MCP is unavailable, but the skill metadata lists no required environment variables or primary credential. This is a clear mismatch — a secret is referenced at runtime but not declared. The skill may also access local context files which can contain sensitive information; those accesses are not declared as config paths.
Persistence & Privilege
always is false and the skill does not request persistent system privileges. It will read local product-marketing-context files and write an artifact to .agents/industry-research-{client}.md; this is reasonable for its purpose but does constitute file read/write access to the agent workspace and may expose sensitive client data. The skill does not modify other skills or global agent settings.
What to consider before installing
Do not install blindly — the skill's instructions expect an Ahrefs API key and external CLIs (exa.js, firecrawl.js, and optional MCP tools) but the manifest doesn't declare them. Before using: (1) Confirm whether you want to provide AHREFS_API_KEY and issue a limited-scope token if possible; (2) Ensure exa.js and firecrawl.js (and mcporter/MCP if used) are installed from trusted sources, or update the manifest to include explicit install instructions; (3) Review any .agents/product-marketing-context.md or .claude/product-marketing-context.md files the agent may read for sensitive data and remove secrets; (4) Be aware the skill will write output to .agents/industry-research-{client}.md — verify that location is acceptable; (5) Ask the maintainer to update the skill metadata to list required binaries, required env vars (AHREFS_API_KEY), and any config paths, or decline installation until those inconsistencies are resolved. If you cannot verify these items, run the skill in an isolated/sandboxed environment with least-privilege credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk970ap7x2g02qewdj2zm4tpzfd83f9cb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.