Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clickbank Scraper
v1.0.0Scrape top ClickBank products by category with gravity scores, commission rates, and estimated monthly sales. Integrates with affiliate marketing automation...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: the package scrapes CBTrends for ClickBank product metadata, builds hoplinks, and writes JSON outputs for pipelines. The requested artifacts (output files, affiliate-id embedding) are consistent with the stated affiliate-marketing use.
Instruction Scope
SKILL.md instructs running node scraper.js and embedding CB_AFFILIATE_ID for hoplinks; the code scrapes one CBTrends URL and writes local JSON files only. Concerns: the script uses the global fetch() without requiring/importing node-fetch (so it relies on Node's built-in global fetch), but the README/SKILL.md and package.json list node-fetch as a dependency — this is a runtime inconsistency that may break on some Node versions. SKILL.md also includes an n8n example that runs a shell execSync command to run the scraper; executing arbitrary shell commands in integrations is expected but should be run in a controlled/isolated environment.
Install Mechanism
No automated install spec (instruction-only), which is low risk. Dependencies come from npm (cheerio, node-fetch) — standard for a scraper. However package-lock indicates cheerio's engines require Node >= 20.18.1, while SKILL.md claims node >=16 — this Node version mismatch could cause install/runtime failures and should be reconciled before deployment.
Credentials
No required secrets or config paths are declared. The only environment variable used is optional CB_AFFILIATE_ID to generate hoplinks; that is proportional to the stated purpose. Note: embedding your affiliate ID means generated JSON and any downstream systems will contain that identifier — treat it as a privacy/marketing secret if you don't want it exposed.
Persistence & Privilege
Skill is not always-enabled and does not request elevated or persistent system privileges. It writes only to its own output directory and does not modify other skills or system configuration. Autonomous invocation is allowed (platform default) but the skill itself does not request forced presence.
What to consider before installing
This skill appears to do what it says (scrape CBTrends and emit JSON), but before installing/running: 1) Run it in an isolated environment (container or sandbox) because it performs network scraping and executes Node code. 2) Address the Node/dependency mismatch: package-lock/cheerio indicate Node >= 20.18.1 while SKILL.md says >=16, and scraper.js uses global fetch without importing node-fetch — upgrade Node to a version with global fetch (Node 18+), or add a require('node-fetch') call to the code. 3) If you provide CB_AFFILIATE_ID, remember outputs and downstream integrations will contain your affiliate ID (treat as sensitive). 4) Check CBTrends/ClickBank terms of service and robots.txt to ensure scraping is allowed and avoid legal/IP issues. 5) Inspect and test the script locally (npm install, run once) and run npm audit to check dependency vulnerabilities before using it in production. If you need certainty this is safe, ask the author to fix the Node/fetch inconsistency and to document the exact Node version required.scraper.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979gtrj84mxa1s88nmwc3ncr983qsmk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.