ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Restaurant and Food Brand Marketing Engine

v1.0.0

Scrapes restaurant reviews, competitor data, and trending food content to generate tailored marketing strategies and viral video scripts for food brands.

0· 54·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (scrape reviews, monitor social platforms, produce video content) align with the runtime instructions which use Apify actors and InVideo. However the registry metadata declares no required environment variables or credentials while the SKILL.md explicitly asks users to set APIFY_TOKEN and INVIDEO_API_KEY — an inconsistency between declared requirements and actual needs.
!
Instruction Scope
SKILL.md instructs scraping Google Maps, Yelp, TikTok, Instagram, Reddit and websites via Apify actors and includes code snippets that call Apify actors and access process.env.APIFY_TOKEN. The instructions allow broad collection of third‑party content with no guidance on rate limiting, respecting terms of service, PII handling, or consent. The skill also references Claude AI but gives no guidance on supplying credentials for it.
Install Mechanism
There is no install spec in the registry (instruction-only), which is low risk for arbitrary code installs. The README tells users to run `npm install apify-client axios`—a reasonable, minimal dependency set for the described tasks—but this is not recorded in install metadata.
!
Credentials
The runtime requires APIFY_TOKEN and INVIDEO_API_KEY (and implicitly may require credentials for any AI provider like Claude), but the skill metadata lists no required env vars or a primary credential. The credentials requested in the docs are consistent with the skill's functions, but the omission from metadata is an incoherence and reduces transparency. There is no request for unrelated secrets, which is good.
Persistence & Privilege
The skill does not request elevated persistence (always: false) and is user-invocable. It does not attempt to modify other skills or system configurations in the provided instructions.
Scan Findings in Context
[env.APIFY_TOKEN] expected: SKILL.md instructs users to create an Apify account and export APIFY_TOKEN; this is expected for scraping via Apify but the registry metadata did not declare it as required.
[env.INVIDEO_API_KEY] expected: SKILL.md instructs users to set INVIDEO_API_KEY for video generation; expected for the described video production functionality but absent from declared requirements.
[references.Claude_AI_without_credentials] unexpected: The doc cites 'Claude AI' as a power source but provides no instruction for supplying Claude credentials or how/where prompts are sent, creating an information gap about how that integration will be authenticated or billed.
What to consider before installing
Before installing or using this skill: (1) understand that SKILL.md requires you to provide API keys (Apify and InVideo) even though the registry metadata does not list them — confirm you trust the publisher before exporting secrets into your environment; (2) verify terms of service and legal/ethical implications of scraping Google Maps, Yelp, TikTok, Instagram and Reddit (these services may restrict scraping or require explicit consent); (3) limit the privileges and scope of any API keys you create (use per-project tokens, set minimal scopes, monitor usage and billing); (4) ask the skill author to update the registry metadata to declare required env vars (and any external endpoints) and to provide guidance on rate limiting, PII handling, and required credentials for Claude; (5) if you are not comfortable providing API keys to an unverified/unknown source, do not proceed.

Like a lobster shell, security has layers — review code before you run it.

apifyvk97d3gjmk4whk2hgy8tv3xvbf583scwffood-contentvk97d3gjmk4whk2hgy8tv3xvbf583scwffood-marketingvk97d3gjmk4whk2hgy8tv3xvbf583scwffood-tiktokvk97d3gjmk4whk2hgy8tv3xvbf583scwfgoogle-mapsvk97d3gjmk4whk2hgy8tv3xvbf583scwfinvideovk97d3gjmk4whk2hgy8tv3xvbf583scwflatestvk97d3gjmk4whk2hgy8tv3xvbf583scwflocal-businessvk97d3gjmk4whk2hgy8tv3xvbf583scwfrestaurant-marketingvk97d3gjmk4whk2hgy8tv3xvbf583scwfrestaurant-seovk97d3gjmk4whk2hgy8tv3xvbf583scwfreview-managementvk97d3gjmk4whk2hgy8tv3xvbf583scwf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments