Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Local Business Money
v1.0.0Scrapes local businesses by category and location, runs health diagnostics, calculates revenue lost, ranks leads by opportunity, and generates tailored outre...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to run large-scale scrapes (Google Maps, Instagram, Yelp, Trustpilot), call Apify actors, produce videos via InVideo AI, and use Claude for scoring. That purpose is coherent with the instructions, but those upstream services normally require API keys, accounts, and/or proxies — yet the skill declares no required environment variables, credentials, or install steps. This mismatch suggests missing information about how the skill authenticates and performs networked work.
Instruction Scope
The SKILL.md stays within the stated purpose: scrape businesses, run diagnostics, calculate opportunity scores, generate outreach, and produce a market video. However it instructs large-scale data collection (names, addresses, phone numbers, review content, review trends) and automated outreach content generation. That collection is expected for lead generation but has privacy, ToS, and rate-limit implications. The instructions do not appear to require reading local files or agent config, which is good.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. This minimizes on-disk risk because nothing is downloaded or executed by default.
Credentials
Given the declared dependencies (Apify, InVideo AI, Claude) the absence of required API tokens, keys, or proxy credentials is unexpected. Real usage of those services typically needs authentication and billing setup. The skill also intends to scrape third-party sites (Google Maps, Instagram) which often require additional tooling (proxies, captchas, accounts) — none of which are requested or documented here.
Persistence & Privilege
The skill does not request always-on inclusion, does not declare changes to other skills or global agent config, and appears to rely on runtime instructions only. Autonomous invocation is allowed (platform default) but is not combined here with elevated persistent privileges.
What to consider before installing
This skill appears to do what it says (scrape many sources, score opportunities, and generate outreach/videos), but it omits how it will authenticate to the external services it names. Before installing or using it:
- Ask the publisher how Apify, InVideo, and Claude are authenticated — you should expect to provide API keys/tokens and to understand billing implications. Do not hand over unrelated credentials.
- Confirm whether the skill will use your own API tokens (preferred) or a publisher-controlled account (riskier).
- Be aware of Terms of Service and legal/privacy issues when scraping Google Maps, Instagram, Yelp, etc.; automated scraping can violate site ToS or trigger rate-limits/captchas and may expose personal data.
- Verify whether proxies or captcha-solvers are required and who pays for them.
- Because this is instruction-only and has no publisher homepage or verifiable owner info, prefer not to enable it until the publisher documents authentication, data handling, and costs. If you must try it, test in a sandboxed environment and supply only dedicated API keys with limited scope and billing safeguards.Like a lobster shell, security has layers — review code before you run it.
latestvk97e71w85vj3f9k2q3a9spp6yd83yx92
License
MIT-0
Free to use, modify, and redistribute. No attribution required.