ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AEO Prompt Question Finder

v1.0.0

Find question-based Google Autocomplete suggestions for any topic. Prepends question modifiers (what, how, why) to a seed topic and returns real autocomplete...

0· 887·2 current·2 all-time
by@psyduckler
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included script: it queries Google Autocomplete for question-prefixed queries and can optionally enrich results with DataForSEO volume data. The DataForSEO integration is a reasonable extension of the stated purpose.
Instruction Scope
SKILL.md and the script instruct the agent to make network requests to suggestqueries.google.com and (optionally) api.dataforseo.com. The script also uses the macOS 'security' command to read Keychain entries only when volume lookup is enabled. There is no instruction to read unrelated files or secrets beyond the documented DataForSEO credentials.
Install Mechanism
No install spec; the skill is instruction-only plus an included Python script. Nothing is downloaded or installed by the skill itself.
Credentials
The registry metadata declares no required env vars, but the script optionally reads DATAFORSEO_LOGIN/DATAFORSEO_PASSWORD or macOS Keychain entries when --volume is used. This is proportionate to the optional volume feature, but it is an undeclared (optional) credential access in the metadata.
Persistence & Privilege
The skill does not request persistent or elevated privileges, does not set always:true, and does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: fetch Google Autocomplete suggestions and — if you opt in with --volume — query DataForSEO for search volumes. If you use the volume feature, the script will (in order) try to read credentials from your macOS Keychain using the 'security' command and/or use DATAFORSEO_LOGIN and DATAFORSEO_PASSWORD environment variables, then send those credentials to api.dataforseo.com via HTTP Basic auth over HTTPS. If you don't want to expose those credentials, do not use --volume or provide credentials in a controlled way (e.g., temporary env vars). Note the Google Autocomplete endpoint is unofficial and heavy/parallel use can trigger rate limits or IP blocking; use the documented --delay for batch runs. The small metadata inconsistency: credentials are optional but not listed in required.env — this is not harmful but be aware the skill may access your Keychain only when volume lookup is requested. If you have concerns, run the script locally in a controlled environment, inspect network traffic, or avoid providing DataForSEO credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cvabf739d26kd408rp3cjb5816hjf
887downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
@psyduckler
latest
Download

Prompt Question Finder

Discover what questions people ask about a topic by querying Google Autocomplete with question modifiers.

Usage

Run the script from the skill directory:

python3 scripts/find_questions.py "travel itinerary"

Options

  • --modifiers what how why should — override default modifiers (default: what how why should can does is when where which will are do)
  • --delay 0.5 — seconds between requests (use 0.5–1.0 when running many topics in batch)
  • --json — output as JSON for programmatic use
  • --volume — fetch avg monthly search volume via DataForSEO (reads creds from macOS Keychain: dataforseo-login / dataforseo-password, or env vars DATAFORSEO_LOGIN / DATAFORSEO_PASSWORD)
  • --location 2840 — DataForSEO location code (default: 2840 = US)
  • --lang en — language code for volume lookup (default: en)

Examples

# Default modifiers (what, how, why)
python3 scripts/find_questions.py "protein powder"

# Custom modifiers
python3 scripts/find_questions.py "travel itinerary" --modifiers what how why should when

# JSON output
python3 scripts/find_questions.py "travel itinerary" --json

Rate Limits

Google Autocomplete is an unofficial endpoint. Single-topic runs (10 requests) are safe. When running multiple topics in batch or parallel, always use --delay 0.5 or higher to avoid temporary IP blocks.

How It Works

For each modifier, the script queries https://suggestqueries.google.com/complete/search with "{modifier} {topic}" and returns the autocomplete suggestions. No API key required.

Comments

Loading comments...