Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Affiliate Marketing Goldmine
v1.0.0Automatically find top high-commission affiliate programs, analyze competitors, identify keyword gaps, and generate a complete SEO content funnel, emails, an...
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes heavy use of external services (Apify scrapers, InVideo AI, Claude AI) and web scraping of competitor sites/Amazon/Reddit/X. Performing these actions legitimately requires API access, service credentials, or explicit orchestration; yet the skill declares no required environment variables, binaries, or install steps. That mismatch (no declared creds vs clearly needed external services) is incoherent. The SKILL.md also contains affiliate/referral parameters in external tool links, which indicates the author may profit from directing traffic to those services.
Instruction Scope
The instructions focus on web scraping and content generation — within the stated affiliate‑marketing purpose — and do not instruct reading local files or unrelated system state. However, they direct the agent to send data to third‑party endpoints (Apify, InVideo, Claude) and to scrape competitor sites for traffic/conversion data. The skill does not specify how scraped data is stored or where outputs (including potentially sensitive scraped datasets) are transmitted, which is an operational and privacy concern.
Install Mechanism
No install spec and no code files (instruction-only). This lowers direct disk/write risk because nothing will be installed automatically by the skill. The primary risk is runtime network use of third‑party services described in the SKILL.md.
Credentials
Despite instructing use of Apify, InVideo AI, and Claude, the skill declares no required environment variables or primary credential. That omission is inconsistent: those services commonly require API keys/tokens. The absence of declared credentials prevents a clear assessment of what secrets the skill will need or request at runtime. Additionally, the embedded referral parameters in tool links (e.g., fpr=dx06p, sjv.io/TBB) suggest monetization by the skill author rather than direct service integration transparency.
Persistence & Privilege
always is false and there are no install steps or code that persist on disk. The skill is instruction-only and does not request permanent presence or modifications to other skills/config. Autonomous invocation is enabled (the platform default), which increases runtime blast radius if the skill is granted credentials — this is normal but should be considered alongside the other concerns.
What to consider before installing
This skill claims to orchestrate multiple paid/third‑party services (Apify, InVideo, Claude) and to scrape competitor sites, but it does not declare the API keys or runtime permissions it will need. Before installing or using it: (1) ask the author to list required API keys/env vars and how credentials are used/stored; (2) confirm whether the skill will send scraped data to any external endpoints and whether any referral links are present (the SKILL.md includes referral parameters); (3) consider legal/terms-of-service issues around scraping target sites; (4) avoid pasting long-lived secrets until the skill explicitly declares them and you trust the author; and (5) prefer a version with transparent source code or an official homepage/author identity (the metadata Owner ID and _meta.json owner differ and there is no homepage). If the author cannot clarify these points, treat the skill with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk978d03w7w3t3eszs07dy8jx6x83tgrx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.