ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

improve-skill-with-best-practices

v1.0.2

Understand website goals and user journeys first, then analyze GSC/GA4 data and audit the live site to validate whether users behave as intended. Identify ga...

0· 75·0 current·0 all-time
byMorvan@morvanzhou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to perform GA4/GSC/Bing audits and live-site checks — that legitimately requires Google service account credentials, GA4_PROPERTY_ID/GSC_SITE_URL, and optionally a BING_WEBMASTER_API_KEY. However the registry metadata lists no required env vars or primary credentials. That discrepancy (skill bundle includes code that auto-discovers Service Account JSON keys and expects API keys) is incoherent and could mislead users about what secrets they must provide.
!
Instruction Scope
SKILL.md instructs the agent to browse the target site (take screenshots), create and use a project-local .skills-data directory, auto-load a .env, place Service Account JSON keys in configs/, and execute Python analysis scripts that read raw API exports and call Google/Bing APIs. These instructions involve collecting and storing sensitive credentials and API responses in a local data folder and launching code that performs network I/O — behavior consistent with the stated purpose but broad in scope and handling sensitive data, so it needs user review and careful credential handling.
Install Mechanism
No external install spec is provided (instruction-only), but the package contains multiple Python scripts and a requirements.txt. The SKILL.md expects creating a Python virtualenv and running the scripts. That's reasonable, but executing bundled code that performs network calls requires auditing the scripts and running them in an isolated environment. No downloads from unknown URLs or obfuscated installers were found in the included files.
!
Credentials
The code expects GA4/GSC env vars and Service Account JSON credentials (auto-discovered from .skills-data/.../configs/*.json) and a BING_WEBMASTER_API_KEY, yet the registry metadata declares no required env vars or primary credential. The credentials requested by the code are proportionate to the skill's purpose, but the metadata omission is misleading and increases the risk of accidental credential exposure (instructions ask users to store JSON keys in the skill data folder).
Persistence & Privilege
always is false and the skill does not demand persistent platform-wide privileges. It writes and reads files under a project-local .skills-data directory (including configs/, .env, venv/) which is expected for offline analyses. Still, because scripts create a venv and execute code, run them in an isolated environment and avoid placing credentials in shared repositories.
What to consider before installing
This skill includes runnable Python scripts that query Google Analytics/Search Console and Bing Webmaster APIs and will ask you to provide a Google Service Account JSON key, GA4/GSC identifiers, and a Bing API key — but the registry metadata incorrectly lists no required credentials. Before installing or running: 1) Inspect the scripts (they are bundled) to confirm they do only what you expect. 2) Do not place service-account JSON or API keys in a world-readable or source-controlled location; keep them in a secure, local .skills-data/configs/ used only by you. 3) Run the scripts in a dedicated Python virtualenv or isolated environment and review network activity. 4) If you don't want the skill to fetch live site pages or store screenshots/data locally, do not grant it those inputs. 5) Consider asking the skill author to update registry metadata to declare the required env vars (GA4_PROPERTY_ID, GSC_SITE_URL, BING_WEBMASTER_API_KEY) and clearly document credential handling. If you cannot verify these items, avoid running the bundled scripts with real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752s1bahxpxan323s2kqa48s84x0my

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments