Back to skill
Skillv1.0.0
ClawScan security
AI Airbnb Revenue Maximizer — Spy on Top Listings & Earn 40% More From Your Property · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 29, 2026, 1:10 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's described functionality relies on third‑party services (Apify, InVideo AI, Claude) and web scraping, but the SKILL.md and registry metadata do not declare the credentials, environment variables, or exact external endpoints needed — that mismatch and the potential for sending user data to external services are concerning.
- Guidance
- This skill appears to rely on Apify, InVideo AI, and Claude but doesn't declare the API keys or explain where user data (property details, photos) will be sent. Before installing or using it: 1) ask the author to list required credentials and exactly which endpoints the agent will call; 2) confirm how and where your property data and photos are transmitted and stored (and whether you consent); 3) verify the skill's compliance with Airbnb/Apify terms (scraping may violate terms of service); 4) avoid providing platform account credentials directly—prefer scoped API keys you can revoke; and 5) request rate‑limit and privacy safeguards (PII handling, data retention). If the developer can't provide clear answers and a declared list of env vars/permissions, treat the skill as risky and avoid sending sensitive data.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to use Apify, InVideo AI, and Claude to scrape Airbnb and produce videos. Those services normally require API keys/accounts and explicit configuration, but the skill declares no required env vars, credentials, or install steps. Asking an agent to scrape and analyze competitor listings without specifying how Apify actors are invoked (and how authentication is provided) is inconsistent with the stated architecture.
- Instruction Scope
- concernThe SKILL.md instructs the agent to scrape top 50 listings, gather pricing/occupancy/reviews, build pricing calendars, and call external services (InVideo, Apify, Claude). Those instructions imply network activity and transmission of user data (property details, photos) to third parties, but the skill does not document where data is sent, what fields are transmitted, or obtain explicit consent. It also does not declare any limits or safeguards (rate limiting, PII handling, or TOS compliance).
- Install Mechanism
- okNo install spec and no code files — this is instruction-only, so there is no on‑disk install or archive download risk. That lowers the surface for arbitrary code being written to the environment.
- Credentials
- concernThe skill references multiple third‑party paid platforms that normally require API keys (Apify, InVideo AI, Claude), yet requires no environment variables or credentials. This omission is disproportionate: either the skill is incomplete (missing declared required credentials) or it expects to use unauthenticated/undisclosed endpoints. Both possibilities are suspicious. Additionally, the skill may send user photos and property details to external services — this is sensitive and should be declared.
- Persistence & Privilege
- okalways is false and there is no indication the skill requests permanent presence or modifies other skills/config. Autonomous invocation is allowed by default but is not combined here with other privilege escalations in the metadata.