Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Niche Finder
v1.0.0Identifies and validates untapped niches using multi-platform live data, scoring demand, competition, and monetization to create go-to-market strategies with...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill promises to deploy Apify scrapers, call multiple platform endpoints, use Claude AI for scoring, and provision GetResponse automations, but the package lists no required environment variables, no primary credential, no install steps, and no code. Realizing the advertised functionality would normally require at minimum: an Apify token/account (or hosted actor code), a GetResponse API key/account, possibly a Claude/AI provider API key, and proxies or infrastructure for large-scale scraping. The absence of those requirements is incoherent with the stated purpose.
Instruction Scope
The SKILL.md explicitly instructs deploying scrapers across Reddit, Google Trends, Amazon, TikTok, YouTube, LinkedIn, X, Google Search and niche sites and to push leads into GetResponse. Those runtime actions involve external network calls, third-party accounts, and likely storing/transmitting scraped user content. However the skill metadata does not declare what endpoints/credentials will be used or what data will be transmitted. The instructions therefore direct activity that reaches beyond the skill's declared scope and give the agent broad discretion without required safeguards.
Install Mechanism
There is no install spec and no code files (instruction-only). That reduces disk/write risk, but it also means the SKILL.md is essentially a plan that expects the agent/user to have external accounts and tooling. The lack of install details is inconsistent with the claim of automated multi-platform scraping and automation provisioning.
Credentials
Given the advertised integrations, one would expect required env vars such as APIFY_TOKEN, GETRESPONSE_API_KEY, and a Claude/model API key. The skill declares none. This is disproportionate: the requested (zero) privileges do not match the high-privilege network operations the instructions require. The SKILL.md also contains affiliate/trackable links in the tool list, which is unrelated to credentials but should be noted.
Persistence & Privilege
always is false and autonomous invocation is not disabled, which is the platform default. The skill does not request persistent or elevated system presence according to metadata, so there is no extra privilege flagged here.
What to consider before installing
This skill makes strong claims about running scrapers and wiring third-party services but provides no code, no install steps, and declares no credentials — that's an incoherence you should resolve before trusting it. Ask the publisher for: (1) explicit required environment variables (Apify token, GetResponse API key, Claude/API key) and how you must provision them; (2) the exact API endpoints and whether the skill will use your accounts or a shared/third-party account; (3) where scraped data is stored, retention policy, and privacy/ToS considerations for scraping each platform; (4) an implementation (code or actor definitions) or a hosted service endpoint you can review; and (5) a homepage, contact, and privacy/security policy. Do not provide API keys or credentials until these questions are answered and you verify the implementation and owner. If you must test, do so with least-privilege, temporary/test accounts and avoid sharing production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972jykpj7wfayek1xjkpa0zt58408g9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.