ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Preny Analytics

v1.5.0

Kết nối trực tiếp với Preny AI Chatbot để tự động tổng hợp và phân tích dữ liệu bán hàng theo thời gian thực.

0· 45·0 current·0 all-time
by@nguyentdam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to connect to Preny using a Preny Token (PRENY_TOKEN) only, but several included shell scripts (scripts/preny-cli.sh, scripts/preny-conversations.sh) expect PRENY_API_KEY and PRENY_WORKSPACE_ID. Some files use PRENY_TOKEN (preny-stats.sh, preny-tags.sh, preny-handler.js) while others use PRENY_API_KEY + WORKSPACE_ID. Requiring extra credentials (API_KEY + WORKSPACE_ID) is not documented in SKILL.md or the templates and is disproportionate to the advertised 'token-only' setup.
Instruction Scope
SKILL.md and README instruct only to export PRENY_TOKEN and show how to retrieve it from the dashboard (DevTools/localStorage). The runtime files, however, will call Preny APIs (various endpoints) using curl/fetch. There are no instructions to read unrelated local files or contact third-party endpoints outside Preny domains, but the docs explicitly tell the user how to extract a bearer token from browser DevTools/localStorage — this is sensitive guidance (normal for getting a token, but worth caution).
Install Mechanism
No install spec; the skill is instruction-only with shell/JS scripts that rely on system binaries (curl, jq). No downloads or archive extraction are present in the manifest.
!
Credentials
Declared requirements list only PRENY_TOKEN, but scripts expect PRENY_API_KEY and PRENY_WORKSPACE_ID (preny-cli.sh, preny-conversations.sh). There is inconsistency in env variable names across files (PRENY_TOKEN vs PRENY_API_KEY), and multiple API base URLs appear in code (api.preny.ai/v1, api-production.prenychatbot.ai/api/v1, api-production.prenychatbot.ai/api/v1/statistics/...), creating ambiguity about what credentials and scopes are actually needed. That mismatch increases the risk of misconfiguration or unintended credential exposure.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system configuration. It does not request persistent installation privileges in the manifest.
What to consider before installing
Do not install or run this skill until the author clarifies which credentials are required and why multiple env variables are referenced. Specific actions to take before proceeding: - Ask the author/maintainer why some scripts require PRENY_API_KEY and PRENY_WORKSPACE_ID while SKILL.md declares only PRENY_TOKEN. If PRENY_TOKEN alone should work, request updated scripts that use it consistently. - Inspect and run the scripts locally in a safe environment (not on production hosts) before granting any tokens. The scripts will make API calls to Preny domains; verify those domains with Preny support if unsure. - Avoid pasting your Preny token into third-party sites. Follow the README's local steps to obtain a token, but treat the token as sensitive (it grants access to business data). Rotate the token if you accidentally disclose it. - Prefer an official Preny integration or documentation from pren y.ai if available. If you must use this skill, limit the account/workspace scope of the token and consider creating a dedicated workspace or read-only credentials (if supported) rather than using a full-access token. Because of the mismatch across files and undocumented additional env requirements, treat this package as untrusted until clarified.
scripts/preny-handler.js:6
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971v4tf11zjbystezws4n0jfx844gea

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvPRENY_TOKEN

Comments