ClawHub

AEO Prompt Frequency Analyzer

v1.0.0

Analyze what search queries Gemini uses when answering a prompt, by running it multiple times with Google Search grounding and reporting frequency distributi...

0· 699·1 current·1 all-time
by@psyduckler
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement exactly what the skill claims: repeated calls to Gemini with Google Search grounding and frequency reporting. That behavior is coherent with the name/description. However, the registry metadata claims no required environment variables even though the script and SKILL.md require a Gemini API key, which is an inconsistency.
!
Instruction Scope
SKILL.md instructs users to fetch GEMINI_API_KEY from the macOS Keychain using the 'security' command and a specific key name ('nano-banana-pro'). The script itself only reads GEMINI_API_KEY from the environment. The SKILL.md's macOS-specific retrieval step and hard-coded key name are undocumented in the registry metadata and expand the practical scope (requires a keychain entry and the 'security' binary) without declaration.
Install Mechanism
This is an instruction-only skill with a bundled Python script and no install spec. Nothing is downloaded or executed beyond the included script and standard Python/urllib usage, which is low-risk from an install perspective.
!
Credentials
The script legitimately needs a single GEMINI_API_KEY to call the Google generativelanguage API. But the registry metadata lists no required env vars while SKILL.md and the script require GEMINI_API_KEY (and even recommend pulling it from a specific keychain entry). The request for an API key is proportionate to the task, but the missing declaration and the hard-coded keychain name are red flags (metadata mismatch, OS-specific guidance).
Persistence & Privilege
The skill does not request permanent/always-loaded presence, does not modify other skills or system-wide configs, and does not store credentials itself. It simply makes outbound API calls when run.
What to consider before installing
This skill's code matches its description: it repeatedly calls the Gemini API with Google Search grounding and aggregates queries. However, the registry metadata does not declare that GEMINI_API_KEY is required, while SKILL.md and the script both expect it — SKILL.md even suggests retrieving it from macOS Keychain using a specific key name ('nano-banana-pro'). Before installing or running: 1) Verify the Gemini API key source and name (you may prefer to set GEMINI_API_KEY explicitly rather than using the sample keychain command). 2) Be aware the script will make multiple outbound requests to Google's API (costs and rate limits possible). 3) If you are not on macOS, the suggested 'security' command won't apply; adjust instructions accordingly. 4) Because the package source/homepage is unknown, consider auditing the included script (scripts/analyze.py) yourself or running it in an isolated environment. The mismatches between registry metadata and SKILL.md lower trust but do not by themselves indicate malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cvb0sw851pt47e98kh3x84s816ayn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments