ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ocean Io

v1.0.0

B2B prospecting and lookalike intelligence powered by Ocean.io. Find companies similar to your best customers, identify decision-makers by title and seniorit...

0· 139·0 current·0 all-time
by@mokto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly targets Ocean.io and legitimately requires an Ocean API token; however the registry metadata provided to you earlier lists no required environment variables or primary credential. That mismatch is an inconsistency in the package metadata (the skill will not function without OCEAN_API_TOKEN as declared in SKILL.md).
Instruction Scope
Instructions limit actions to searches, people lookups, and exports against Ocean.io and include sensible guidance (cache static lists, confirm credit cost before export). One implementation detail: the MCP server URL places the API token in the query string (api-token=${OCEAN_API_TOKEN}), which increases risk of the token appearing in logs or referrers — the SKILL.md does not warn about that.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code — lowest risk for arbitrary code being written to disk.
!
Credentials
SKILL.md requires a single credential (OCEAN_API_TOKEN), which is appropriate for the stated purpose. However the published registry metadata omitted this requirement, creating an informational mismatch. Also the skill's header embeds the token in a query parameter which can leak credentials in logs; the skill does not request any other unrelated secrets.
Persistence & Privilege
The skill does not request always:true, does not claim system-wide persistence, and is user-invocable only. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags here.
What to consider before installing
This skill appears to implement an Ocean.io connector and legitimately needs your Ocean API token. Before installing: (1) confirm you trust the skill's source (owner ID is present but no homepage), (2) be prepared to supply OCEAN_API_TOKEN — the skill embeds it in the API URL query string (this can cause tokens to appear in logs or referrers), so consider using a token with limited scope and rotate it if needed, (3) verify costs and confirm any export actions before they run (the skill warns about credits), and (4) ask the publisher to fix the registry metadata to declare the required env var and, if possible, to use Authorization headers instead of a query parameter for the token. If you are not comfortable supplying an API token or cannot verify the publisher, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97510zfj31smbg7nxdkena44d836k0j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments