ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instant Audit Report

v1.0.1

Generates detailed AI-powered audit reports on website, SEO, ads, social media, tech stack, reviews, and competitors from a prospect's domain to aid client a...

0· 35·0 current·0 all-time
by@nicemaths123·duplicate of @nicemaths123/instant-client-audit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes orchestrating multiple Apify actors and using Claude AI to generate reports; that legitimately requires an Apify token and an LLM API key. The registry metadata, however, lists no required environment variables or primary credential — this is inconsistent and disproportionate.
!
Instruction Scope
Runtime instructions instruct scraping Google Search, Google Maps reviews, Facebook/Instagram, and running multiple Apify actors. While this aligns with an audit tool, the docs do not specify what credentials, session cookies, or rate‑limits are needed, nor where scraped data is stored or transmitted (Apify account, external endpoints, or back to the agent). The instructions also call out Claude AI but never document the LLM credential to use.
Install Mechanism
Instruction-only skill with no install spec or bundled downloads; nothing is written to disk by the package itself, which lowers installation risk.
!
Credentials
SKILL.md input examples include an apify_token and implicitly require an LLM key for Claude, but requires.env is empty. Additionally, scraping social/ad platforms often requires auth or cookies; requesting no environment credentials in metadata is disproportionate and misleading.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not declare modifications to other skills or system settings.
What to consider before installing
Do not install or run this skill until the developer clarifies what credentials and network access it needs. Ask for: (1) an explicit list of required environment variables (e.g., APIFY_TOKEN, the specific LLM/Claude API key name), (2) where scraped data is stored or sent (Apify account, third‑party storage, or returned to you), and (3) what authentication is required for social/ad scrapers. Be cautious about providing long‑lived API tokens — an APIFY_TOKEN can run actors under your account and incur charges or leak data. If you must test, use a throwaway Apify account with limited billing, do not reuse production credentials, and verify compliance with target sites' terms of service and privacy regulations. The package has no known source or homepage listed; lack of provenance lowers trust — prefer skills with a verifiable source or request that from the publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk978na1enn85gn6cbhsphda0xx84mwkr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments