Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Airbnb Rental Growth
v1.0.0Scrapes Airbnb, Vrbo, and Booking listings, analyzes pricing and reviews, and generates data-driven strategies to optimize rental revenue and marketing content.
⭐ 0· 91·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to scrape short-term rental marketplaces and produce pricing/marketing assets. The SKILL.md uses Apify for scraping and InVideo for videos, which are coherent with that purpose. However the metadata lists no required credentials or environment variables even though the instructions explicitly require APIFY_TOKEN and INVIDEO_API_KEY; that mismatch reduces trust in the package metadata.
Instruction Scope
The SKILL.md gives concrete runtime instructions: create Apify and InVideo accounts, export APIFY_TOKEN and INVIDEO_API_KEY, npm install apify-client and axios, and invoke various Apify actors (Airbnb, Booking.com, Google Maps, Instagram, TikTok, Reddit, etc.). Those actions stay within the declared functional scope (market scraping and content creation). Two concerns: (1) the document references 'Claude AI' but provides no guidance on how the agent should authenticate/access it, leaving an open question about where an LLM credential would come from; (2) the instructions ask you to grant API tokens but the skill metadata does not declare those env vars, so an automated review or permission UI could miss them.
Install Mechanism
This is an instruction-only skill with no install spec or code files. The SKILL.md recommends running 'npm install apify-client axios' locally. That is a low-to-moderate-risk action (installs third-party npm packages) but is expected for the described functionality; no opaque downloads or extract/install steps are present in the registry metadata.
Credentials
The runtime instructions require APIFY_TOKEN and INVIDEO_API_KEY (both sensible for Apify and InVideo usage), but the skill metadata lists no required env vars or primary credential — an inconsistency. The number and type of credentials requested by the instructions are proportional to the functionality, but the missing declaration is a red flag because platform-level permission granting or auditing may not surface those requirements.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false) and has no install-time hooks specified. There is no indication it modifies other skills or system-wide settings. Autonomous invocation is permitted by default but not by itself suspicious; combined with the env-var mismatch it increases the need for caution when the skill is enabled.
What to consider before installing
Before installing or running this skill: (1) note the SKILL.md requires APIFY_TOKEN and INVIDEO_API_KEY even though the registry metadata lists none — do not paste long-lived personal credentials into tools until you confirm why they are needed; prefer creating limited-scope or dedicated service tokens and revoke them after testing. (2) The skill recommends 'npm install' of third-party packages — run these in an isolated environment (container/VM) and inspect package names/versions. (3) The skill will scrape many platforms (Airbnb, Vrbo, Booking, Google Maps, Instagram, TikTok, Reddit); check legal/terms-of-service and consider rate limits and potential IP/behavioral blocks. (4) Clarify how 'Claude AI' is used and where its credentials (if any) should be provided — the SKILL.md is vague here. (5) If you cannot confirm the missing metadata or source provenance (homepage/source unknown), treat this as higher risk: either request the author to update the registry metadata to declare required env vars and a source URL, or avoid running it with privileged/primary credentials. If you proceed, use least-privilege API keys, isolated runtime, and monitor outbound API calls from your environment.Like a lobster shell, security has layers — review code before you run it.
latestvk979aqtj0hg4s8s52ww4zk3gh584h8av
License
MIT-0
Free to use, modify, and redistribute. No attribution required.