ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Direct Analysis

v1.0.1

Анализ рекламных кампаний Яндекс.Директ

0· 577·5 current·5 all-time
by@nimblemarketingapex-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (Yandex.Direct campaign analysis) matches the steps in SKILL.md. However the SKILL.md explicitly says to 'Use YANDEX_TOKEN and CLIENT_LOGIN' yet the registry metadata lists no required environment variables or primary credential. That mismatch is unexpected and incoherent: a Yandex integration legitimately needs credentials and should declare them.
!
Instruction Scope
Instructions tell the agent to obtain campaign statistics using YANDEX_TOKEN and CLIENT_LOGIN and to compute CTR/CPC/etc., but they do not specify API endpoints, expected scopes, or how to handle credentials safely. Because env vars are not declared, the agent might look for or attempt to access undeclared environment variables or other context — scope creep risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Required binary is curl, which is reasonable for calling web APIs. No arbitrary downloads or on-disk installs are present.
!
Credentials
The SKILL.md requires sensitive credentials (YANDEX_TOKEN and CLIENT_LOGIN) but the skill metadata does not declare any required env vars or a primary credential. Asking for advertising-account credentials is proportionate to the stated purpose only if those credentials and scopes are declared and limited; that is not the case here.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent or elevated platform privileges in the manifest. Autonomous invocation is allowed by default but is not combined with other high-risk indicators here.
What to consider before installing
This skill's core functionality (Yandex.Direct analysis) is plausible, but the SKILL.md references YANDEX_TOKEN and CLIENT_LOGIN while the package metadata declares no required env vars and the source/homepage are unknown. Before installing: (1) ask the publisher to disclose source code or a homepage and to formally declare required env vars and the exact API endpoints and scopes; (2) only provide a read-only Yandex token with the minimal scopes needed for stats; (3) prefer installing in an isolated account or environment; (4) if you won't provide credentials, avoid giving this skill access — the current manifest is inconsistent and could prompt the agent to search for or request secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk970bwhekvc9x74jwwwj44at7181b6ev

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binscurl

SKILL.md

Direct Analysis

Бот не публикует данные, не меняет кампании без разрешения и экономит токены.

Когда использовать

Когда пользователь спрашивает:

  • директ
  • реклама
  • рекламные кампании
  • анализ рекламы Для оценки эффективности рекламных кампаний, CTR, CPC, расходов, конверсий и слабых объявлений.

Шаги

  1. Получение статистики кампаний:
    • Использовать YANDEX_TOKEN и CLIENT_LOGIN
    • Определить CTR, CPC, расходы, конверсии
  2. Анализ слабых объявлений и ключевых слов
  3. Формирование кратких рекомендаций:
    • Оптимизация ставок и бюджета
    • Коррекция текста объявлений и CTA
    • Предложения по новым сегментам аудитории

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…