Rankscale Geo Analytics
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—fetch Rankscale analytics using a Rankscale API key—with no artifact-backed evidence of hidden or malicious behavior.
This appears to be a normal Rankscale analytics integration. Before installing, make sure you trust the publisher, provide only the Rankscale API key needed for this use, avoid putting the key directly in shell commands, and store any .env file with restrictive permissions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill must provide a Rankscale API key, so the skill can retrieve analytics for brands available to that key.
The skill requires a Rankscale API key, which grants access to the user's Rankscale account analytics.
requires:\n env:\n - RANKSCALE_API_KEY
Use a dedicated Rankscale API key if possible, store it through OpenClaw Gateway or a protected .env file, and rotate the key if it is exposed.
The assistant can call the Rankscale API and display brand analytics when invoked.
The code makes authenticated API requests to Rankscale endpoints to fetch reports and related analytics, which matches the stated purpose.
async function fetchReport(apiKey, brandId) {\n return apiRequest('v1/metrics/report', apiKey, 'POST', { brandId });\n}Confirm the skill should have access to the Rankscale brand tied to the configured API key before enabling it.
Users may have to rely on the registry artifacts and Rankscale homepage rather than an independently verifiable source repository.
The registry metadata does not identify a source repository or package provenance, so users have less context for verifying authorship.
Source: unknown
Verify the publisher and homepage before installing, and prefer a version with a clear source link if available.
A Rankscale API key could be accidentally exposed if entered directly in a terminal command.
The onboarding documentation allows passing the API key on the command line, which is convenient but can expose secrets through shell history or process listings.
Or pass on command line:\n\n node rankscale-skill.js \\\n --api-key rk_... \\\n --brand-id <YOUR_BRAND_ID>
Prefer OpenClaw Gateway environment configuration or a chmod 600 .env file rather than command-line API-key arguments.