ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Geopolitical Analyst

v0.1.2

Live geopolitical intelligence analysis with 39 analytical modules and real-time data integration. No API keys required.

0· 117·0 current·0 all-time
by@nimaansari
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md claims a full analysis engine (geopolitical_analyst_agent.py, interactive_monitor.py, automated_monitor.py, modules loader, etc.) and live integration with five public APIs with 'no API keys required.' The actual manifest does NOT contain those claimed executable files — only references, docs, requirements.txt, and scripts/fetch_intelligence.py. That mismatch is incoherent. Also, one of the named sources (ACLED / some UN data offerings) historically can require registration/API tokens for certain endpoints — the blanket 'no keys required' claim is possibly inaccurate.
!
Instruction Scope
Runtime instructions tell the agent/user to run specific scripts (interactive_monitor.py, geopolitical_analyst_agent.py) and describe local-only processing and 'no data sent to external servers.' Because those scripts are not present in the manifest, the instructions reference files that don't exist here. The included fetch script (and any missing modules) may still make network calls; the SKILL.md's claim 'No data sent to external servers' conflicts with the declared behavior of fetching live data from public APIs and with the presence of a fetch_intelligence.py file — the actual network endpoints used must be audited.
Install Mechanism
No install spec is provided (instruction-only), and a requirements.txt lists only common Python packages (requests, python-dateutil). This is low-install-risk, but because code files exist they will be installed/run by the user environment after pip installs — review is still recommended.
Credentials
The skill declares no required environment variables or credentials, which aligns with its 'public APIs, no keys' claim. However, that claim may be inaccurate (some public data providers limit access or require tokens for bulk API use). Also, without inspecting the fetch script and any missing modules, we cannot confirm the code doesn't read environment variables or local config files — the manifest absence of many referenced files increases uncertainty.
Persistence & Privilege
The skill does not request always:true or any system-level config paths and is user-invocable only. That scope is appropriate. The main risk is standard: code may perform network I/O when invoked. Autonomous invocation is allowed by default on the platform but is not by itself a new red flag here.
What to consider before installing
Do not install or enable this skill for full use until you verify its code and provenance. Specific steps: - Verify file consistency: SKILL.md lists many scripts (interactive_monitor.py, geopolitical_analyst_agent.py, etc.) that are missing from the manifest. Ask the publisher why those files are absent or retrieve the claimed repository to confirm the real contents. - Inspect code: review scripts/fetch_intelligence.py and any other code for hardcoded endpoints, unknown domains, POST requests, or calls to non-listed servers. Search for suspicious patterns: requests.post to unfamiliar hosts, use of subprocess/exec, eval/compile, base64-embedded payloads, or attempts to read ~/.ssh, cloud SDK config, or environment variables. - Confirm API requirements: check the actual public APIs (ACLED, GDELT, ReliefWeb, Frankfurter, UN OFAC) for any registration or token requirements for the endpoints the code uses; the 'no API keys required' claim may be false for some uses. - Run in a sandbox: if you want to test, run the code in an isolated VM or container with network monitoring, and observe outbound connections on first run. - Verify provenance: the SKILL.md references a GitHub repo; fetch that repo separately and compare contents and commit history to ensure the package wasn't tampered with. - Prefer caution with autonomous invocation: until you audit the code, avoid enabling autonomous execution or broad permissions that would let the skill run without your review. If you can provide the full contents of scripts/fetch_intelligence.py and any other code files, I can do a focused review to identify any explicit exfiltration or suspicious behavior and raise confidence in this assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dggr4ge5axnvpvmnqf05f8583n244

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments