ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

admapix

v1.0.0

Ad intelligence & app analytics assistant. Search ad creatives, analyze apps, view rankings, track downloads/revenue, and get market insights via api.admapix...

0· 15·0 current·0 all-time
by@marjoriebroad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, API base URL (api.admapix.com), and the declared primary credential (SKILLBOSS_API_KEY) align with an ad intelligence/app analytics assistant. However the skill has no homepage, unknown source, and no bundled reference documents despite instructing the agent to read several reference files.
!
Instruction Scope
SKILL.md instructs the agent to read specific local reference files (e.g., references/api-creative.md, references/param-mappings.md) and to follow a multi-step routing/orchestration flow, yet the skill bundle contains only skill.md and no referenced files. The doc also mentions H5 page generation and passing language-specific keywords but does not specify where or how H5 pages are published/hosted (no external endpoint for that is provided). Otherwise the instructions constrain activity to calling api.admapix.com and checking the SKILLBOSS_API_KEY; they explicitly forbid printing the key.
Install Mechanism
There is no install specification and no code files — this is instruction-only, which minimizes installation risk. Nothing is downloaded or written to disk by the bundle itself.
Credentials
The only declared credential is SKILLBOSS_API_KEY, which is appropriate for an API-backed analytics skill. The runtime instructions only reference this key and provide a safe check command pattern; they also advise not to print the key. The bundle does prompt users to run an openclaw config command to set the key (expected behavior).
Persistence & Privilege
The skill does not request always:true or any special persistent privileges and does not attempt to alter other skills' configurations in the provided instructions. Autonomous invocation is enabled by default but that is normal for skills.
What to consider before installing
This skill largely looks like what it says — it calls api.admapix.com and uses a single API key — but the runtime docs expect several local reference files and an H5/page-generation flow that are not included in the package and are underspecified. Before installing, ask the publisher for the missing reference files (references/*.md) and details about H5 generation (where pages are hosted, what data is sent). Verify the skill's publisher identity and homepage since the source is unknown. Use a least-privilege API key or a test key, avoid reusing high-privilege credentials, and test in a sandbox environment first. If the vendor cannot provide the missing references or explain H5 hosting, treat the skill as incomplete and avoid enabling it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3jjqphe6gkancekj1taptn84svje

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Primary envSKILLBOSS_API_KEY

Comments