Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google seach console
v1.0.0Access Google Search Console API via cURL with OAuth to manage sites, sitemaps, and query search analytics including clicks, impressions, and rankings.
⭐ 0· 17·0 current·0 all-time
byOtman Heddouch@otman-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide Google Search Console access and the SKILL.md shows a coherent method (calls to a Maton gateway that proxy Google APIs). Requiring an API key for such a gateway is reasonable. However, the skill metadata declares no required credentials while the runtime instructions explicitly require MATON_API_KEY, which is an internal inconsistency.
Instruction Scope
The SKILL.md stays within the scope of managing Search Console: listing sites, search analytics queries, and sitemap operations. It does not instruct the agent to read unrelated system files or other environment variables. It does, however, direct users to external Maton endpoints (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai) and to open URLs containing session tokens for OAuth, which transfers auth decisions to a third-party service.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no disk install risk from the skill bundle itself.
Credentials
The runtime instructions require an environment variable named MATON_API_KEY and describe connection/session tokens, but the registry metadata lists no required env vars and no primary credential. That mismatch is concerning: the skill will only work if you provide a sensitive bearer token, yet the metadata does not surface that fact for reviewers or automated gating. In addition, using a gateway service means that the gateway operator will receive proxied Google Search Console data and tokens — a privacy/privilege consideration that should be evaluated.
Persistence & Privilege
The skill does not request always:true and has no install-time persistence. It does not request modifying other skills or system-wide settings. Autonomous invocation is allowed (platform default), which is normal and not by itself a red flag.
What to consider before installing
Before installing or using this skill: (1) be aware the SKILL.md requires a MATON_API_KEY though the metadata does not declare it — prefer skills that declare required credentials explicitly. (2) Evaluate whether you trust Maton (gateway.maton.ai / ctrl.maton.ai / connect.maton.ai) because those endpoints will see your Search Console requests and participate in OAuth flows; check their operator, privacy policy, and security posture. (3) If you prefer greater control, use Google’s official APIs or your own proxy and OAuth credentials (service account or direct OAuth) instead of a third-party gateway. (4) Do not paste your MATON_API_KEY or session tokens into public places; restrict the key's permissions and rotate/revoke it if you stop using the skill. (5) Ask the publisher to update registry metadata to declare MATON_API_KEY as a required/primary credential so reviewers and automated systems can surface the risk.Like a lobster shell, security has layers — review code before you run it.
latestvk976w3ynzkx2k8mp5hbp6avrr184cw1t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.