ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instant Client Audit

v1.0.0

Generates a detailed AI-powered audit report analyzing website, SEO, ads, social media, reviews, tech stack, and competitors from a prospect's domain to help...

0· 25·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill name/description (auditing website, SEO, ads, social, reviews, tech stack, competitors) aligns with the listed Apify actors and the overall workflow: crawling, SEO audit, ad/social scrapers, tech stack detection, and an LLM report generation.
Instruction Scope
SKILL.md instructs running multiple Apify actors to crawl and scrape target domains and then generate an AI report — that matches the stated purpose. It does not direct the agent to read local files or unrelated env vars, nor to exfiltrate reports to unknown external endpoints. However, the instructions require an apify_token input (to invoke Apify actors) which is not declared in the registry metadata.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk by the skill itself. That is the lowest-risk install pattern.
!
Credentials
The SKILL.md explicitly lists an apify_token in the sample inputs but the registry metadata lists no required environment variables or primary credential — an inconsistency. Additionally, some listed Apify actors (e.g., Facebook/Instagram/ads scrapers) may require additional credentials or tokens or rely on external data sources; those are not declared. Requesting an Apify token (and not declaring it) is disproportionate to what the registry advertises and hides a credential dependency from the user.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. Autonomous invocation is allowed (the platform default) but that alone is not a red flag here; the skill's network-based scraping behavior is expected for its function.
What to consider before installing
Before installing or enabling this skill: (1) confirm the developer declares and documents the required Apify credential (apify_token) in the registry so you know what you'll be granting; (2) understand that invoking the skill will run multiple third‑party Apify actors which will perform outbound web scraping of any domain you provide — review Apify actor permissions and privacy/ToS implications; (3) do not supply sensitive or internal-only domains unless you trust the runtime and actors, since crawling can collect PII and site data; (4) ask the publisher to list any additional credentials required for social/ads scraping and to remove or disclose affiliate tracking links; (5) if you are uncomfortable with autonomous runs that perform network requests, restrict the skill or require manual invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97df971z36sxfk8trangsd9ns844qja

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments