Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Supplier Intelligence
v1.0.2Find, score, and shortlist top 20 verified suppliers globally with risk analysis, negotiation scripts, RFQ templates, and automated relationship management.
⭐ 1· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md repeatedly states the skill uses Apify (multiple scrapers), GetResponse (automation), and Claude AI to locate and score suppliers across Alibaba, LinkedIn, news, social, and review sites. However, the skill declares no required environment variables, credentials, or install steps. Realising those capabilities would normally require API keys/accounts (Apify, GetResponse, Claude), possibly proxies, and scraping infrastructure—none are requested. That mismatch is incoherent.
Instruction Scope
The runtime instructions direct large-scale scraping and aggregation of supplier data across many third-party sites and describe creating an automated outreach pipeline in GetResponse. The SKILL.md (as provided) does not specify how to authenticate to those services, how to handle rate limits/proxies, nor any constraints on what data to collect or how to protect PII. That open-ended scraping and data transfer to a third-party CRM is scope-expanding and raises privacy/operational concerns.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; that minimizes disk-installed attack surface. There is no installer or archive download declared.
Credentials
Despite depending on external paid services (Apify, GetResponse, Claude), the skill lists zero required environment variables or primary credentials. A legitimate integration would require API keys/tokens and possibly account configuration. The absence of declared credentials is disproportionate and ambiguous—it's unclear how the skill expects to perform authorized actions like creating GetResponse campaigns or invoking Apify actors.
Persistence & Privilege
The skill is not set to always:true and does not request elevated or persistent system-wide privileges in the metadata. There is no indication it modifies other skills or global agent settings.
What to consider before installing
This skill's description says it scrapes many sites and wires up Apify, GetResponse, and Claude AI, but it doesn't ask for the API keys or setup needed to do that—this is a red flag. Before installing or using it, ask the author to: (1) list required API keys/tokens and explain how credentials are used and stored; (2) confirm whether scraping requires proxies or external accounts and who pays for those services; (3) explain how PII and supplier data are protected and where data is sent/stored (especially when using GetResponse); (4) provide clear limits on what is scraped and compliance with target sites' terms of service; and (5) remove or explain affiliate/tracking links. Do not supply production or corporate credentials until you have these clarifications and have validated the skill with test/non-sensitive accounts.Like a lobster shell, security has layers — review code before you run it.
latestvk97f077q9zrqhd85rx0mz3v1qs84fy97
License
MIT-0
Free to use, modify, and redistribute. No attribution required.