Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Maps Revenue
v1.0.1Estimate monthly revenue for local businesses from Google Maps data, rank by revenue and growth, and generate personalized outreach plus a local market video.
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the workflow (scrape Google Maps, estimate revenue, produce outreach/video). However the SKILL.md explicitly says the skill is 'Powered by Apify + InVideo AI + Claude AI' and describes multiple scraping and crawling steps that would realistically require API keys, proxy/anti‑captcha infrastructure, and access to external services. The published metadata declares no required environment variables or credentials — that is inconsistent with the stated capabilities.
Instruction Scope
The instructions direct mass scraping of Google Maps and related sites, collection of contact details (phone, website), crawling websites and social media, and sending collected signals to external services for modeling and video generation. That implies transmission of potentially sensitive or regulated personal data to third parties. The SKILL.md does not provide details about where data is sent, rate limiting, CAPTCHA/proxy handling, or legal/ToS/consent considerations — the scope is broader and more invasive than the metadata indicates.
Install Mechanism
This is an instruction‑only skill with no install spec or code files, so nothing is written to disk by an installer. That lowers install risk; however, runtime network actions described in the instructions are the primary risk vector.
Credentials
No required environment variables or primary credential are declared, yet the workflow needs at minimum API keys/tokens for Apify, InVideo, and Claude (and likely proxies or Google credentials for robust scraping). This omission is an incoherence: either the skill expects the agent to have implicit credentials (not documented) or the SKILL.md is incomplete. Asking for no credentials but performing external API calls is disproportionate and ambiguous.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system settings. Autonomous invocation is permitted (platform default), which increases blast radius if the skill is given credentials later, but by itself it is not a unique red flag.
What to consider before installing
Before installing or running this skill, ask the author to: (1) list all required API keys/env vars (Apify token, InVideo key, Claude key, proxy credentials, etc.), (2) explain exactly which third‑party endpoints will receive scraped data and whether any data is persisted or shared, (3) confirm how they handle rate limits, CAPTCHAs, and Google/website ToS compliance, and (4) provide a privacy/retention policy for prospect data. Do not supply broad credentials (AWS, Google, or other account keys) until the above is clarified. If you need this capability now, consider running Apify scrapers yourself, review the scraped output locally, then feed only vetted results into a trusted automation rather than giving a skill undocumented access to your keys or live data.Like a lobster shell, security has layers — review code before you run it.
latestvk97em308jg5jqhn702hjsg4vd584mjgg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.