Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Airbnb Revenue Maximizer — Spy on Top Listings & Earn 40% More From Your Property
v1.0.0Analyzes top Airbnb listings in your area to generate dynamic pricing, SEO-optimized listing, seasonal insights, and a professional video to boost revenue up...
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to use Apify, InVideo AI, and Claude to scrape Airbnb and produce videos. Those services normally require API keys/accounts and explicit configuration, but the skill declares no required env vars, credentials, or install steps. Asking an agent to scrape and analyze competitor listings without specifying how Apify actors are invoked (and how authentication is provided) is inconsistent with the stated architecture.
Instruction Scope
The SKILL.md instructs the agent to scrape top 50 listings, gather pricing/occupancy/reviews, build pricing calendars, and call external services (InVideo, Apify, Claude). Those instructions imply network activity and transmission of user data (property details, photos) to third parties, but the skill does not document where data is sent, what fields are transmitted, or obtain explicit consent. It also does not declare any limits or safeguards (rate limiting, PII handling, or TOS compliance).
Install Mechanism
No install spec and no code files — this is instruction-only, so there is no on‑disk install or archive download risk. That lowers the surface for arbitrary code being written to the environment.
Credentials
The skill references multiple third‑party paid platforms that normally require API keys (Apify, InVideo AI, Claude), yet requires no environment variables or credentials. This omission is disproportionate: either the skill is incomplete (missing declared required credentials) or it expects to use unauthenticated/undisclosed endpoints. Both possibilities are suspicious. Additionally, the skill may send user photos and property details to external services — this is sensitive and should be declared.
Persistence & Privilege
always is false and there is no indication the skill requests permanent presence or modifies other skills/config. Autonomous invocation is allowed by default but is not combined here with other privilege escalations in the metadata.
What to consider before installing
This skill appears to rely on Apify, InVideo AI, and Claude but doesn't declare the API keys or explain where user data (property details, photos) will be sent. Before installing or using it: 1) ask the author to list required credentials and exactly which endpoints the agent will call; 2) confirm how and where your property data and photos are transmitted and stored (and whether you consent); 3) verify the skill's compliance with Airbnb/Apify terms (scraping may violate terms of service); 4) avoid providing platform account credentials directly—prefer scoped API keys you can revoke; and 5) request rate‑limit and privacy safeguards (PII handling, data retention). If the developer can't provide clear answers and a declared list of env vars/permissions, treat the skill as risky and avoid sending sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk973ccth5aq8smbr417pg1hexd83vmma
License
MIT-0
Free to use, modify, and redistribute. No attribution required.