ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My Admapix

v1.0.0

Ad intelligence & app analytics assistant. Search ad creatives, analyze apps, view rankings, track downloads/revenue, and get market insights via api.admapix...

0· 50·1 current·1 all-time
by@rockyzhuo·fork of @fly0pants/admapix (1.0.27)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (ad intelligence & app analytics) align with the only declared credential (ADMAPIX_API_KEY) and the documented API endpoints at api.admapix.com. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md stays on-topic: it specifies language handling, how to check/set the ADMAPIX_API_KEY, how to classify queries (Simple vs Deep), and how to call the documented API endpoints. Important note: the skill documents a server-side "Deep Research Framework" that will perform multi-step research and host structured HTML reports — complex/Deep queries will be sent to AdMapix servers and results hosted externally. Also the runtime flow instructs the agent to run shell commands to check/set config and to persist the API key into the OpenClaw config (openclaw config set ...).
Install Mechanism
This is instruction-only (no install spec, no code). Nothing is downloaded or written by an installer. The skill expects the platform's OpenClaw tools (openclaw config) to exist, which is reasonable for a skill that stores an API key in agent config.
Credentials
Only one credential is declared (ADMAPIX_API_KEY) which is appropriate for an API-driven service. The SKILL.md uses that env var in examples and commands. Be aware that the skill's suggested behavior will write the provided API key into the agent's OpenClaw config for persistent use.
Persistence & Privilege
always:false (no forced inclusion). The skill instructs the agent to run openclaw config set to store the API key in the agent configuration — this is normal for API-backed skills but means the key will be persisted on the agent. Deep Research reports are hosted externally by the vendor, which implies outbound data transfer of queries and results to AdMapix servers.
Assessment
This skill appears to do what it says: it calls api.admapix.com and needs your ADMAPIX_API_KEY. Two things to consider before installing: (1) privacy/data exfiltration — complex "Deep Research" queries are routed to AdMapix's server and generated reports are hosted externally, so any query content (app names, competitor lists, uploaded parameters) will leave your environment; (2) credential persistence — the skill's flow will store your API key in the OpenClaw agent config when you paste it. Only proceed if you trust the AdMapix service and are comfortable storing a key on the agent. Additional practical steps: verify the publisher (homepage is missing), prefer creating a scoped/dedicated API key you can revoke, avoid pasting the key in public channels, and review AdMapix's privacy/terms before using Deep Research features.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780n346vbcdsytmfwvdbfw6n83jv2j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Primary envADMAPIX_API_KEY

Comments