ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Search Rank Tracker

v0.1.1

Track whether ChatGPT, Claude, Gemini, and Perplexity recommend a startup or brand across a prompt set. Use when you need AI search visibility tracking, GEO...

0· 299·1 current·1 all-time
by@x-rayluan

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for x-rayluan/ai-search-rank-tracker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ai Search Rank Tracker" (x-rayluan/ai-search-rank-tracker) from ClawHub.
Skill page: https://clawhub.ai/x-rayluan/ai-search-rank-tracker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install x-rayluan/ai-search-rank-tracker

ClawHub CLI

Package manager switcher

npx clawhub@latest install ai-search-rank-tracker
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The codebase and package.json depend on OpenAI and Anthropic SDKs (openai, @anthropic-ai/sdk) which match the stated purpose of querying ChatGPT and Claude. That dependency footprint is proportionate to the skill's described goal. However the registry metadata lists no required env vars or primary credential even though the project clearly expects API keys (SKILL.md: 'Configure keys in .env' and outputs show Missing ANTHROPIC_API_KEY / OpenAI quota errors). The lack of declared credentials in the metadata is an incoherence.
Instruction Scope
SKILL.md instructs running scripts/install.sh and node src/index.js with a prompt JSON and explicitly tells the user to configure keys in .env and that Anthropic/OpenAI and OpenRouter/EZRouter setups are supported. The runtime instructions stay within the stated purpose (no broad system file reads or unrelated data collection are instructed). The only scope issue is that the skill's runtime requires external API credentials (implied but not declared) — SKILL.md does mention configuring .env, so behavior is not hidden but the metadata omission is inconsistent.
Install Mechanism
There is no registry install spec, but the repo includes scripts/install.sh and package.json requiring npm dependencies (openai, @anthropic-ai/sdk, dotenv). Installing will run npm install and fetch packages from the public npm registry; no suspicious remote downloads or archive extraction from unknown hosts were observed. The minor risk: an included install script exists but the skill metadata does not advertise an install step — this is an operational inconsistency but not a direct code-hosting red flag.
!
Credentials
The project clearly expects API keys (OpenAI, Anthropic, possibly OpenRouter/EZRouter or other provider config) and accesses them via .env/dotenv at runtime, but the skill registry lists no required env vars or primary credential. This mismatch is problematic because users installing the skill may not be warned that sensitive API keys will be needed and used. Requiring multiple provider keys is proportionate to multi-engine tracking, but the omission in declared requirements increases the risk of accidental exposure if the user misconfigures .env or shares output files.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It does not declare system config paths or claim to modify other skills. It will perform network calls to external LLM provider endpoints (expected for purpose) but otherwise does not request elevated persistence or cross-skill config changes.
What to consider before installing
What to consider before installing: - This repository will call external LLM provider APIs (OpenAI for ChatGPT, Anthropic for Claude, and possibly other routing layers). You must provide API keys (expected via a .env file), but the skill listing did not declare those required env vars — treat that as an omission, not absence of requirement. - Installing runs npm install (see scripts/install.sh / package.json). That fetches packages from the public npm registry (openai, @anthropic-ai/sdk, dotenv). If you want to be cautious, inspect scripts/install.sh, run npm install in an isolated environment (container, VM), or vendor/verify dependencies before executing on a machine with sensitive data. - The skill will send your prompts and brand names to third-party LLM providers when you run it. Do not put secrets or private data into prompt files unless you trust the configured provider and account billing/retention policies. - The primary incoherence here is metadata: the registry claims no required env vars, but the code and SKILL.md require API keys. Ask the publisher to update skill metadata to list required environment variables (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY, and any router-related vars) and to document exactly which keys are mandatory and optional. - Recommended actions: review scripts/install.sh, review src/* for any unexpected outbound endpoints, run in an isolated/containerized environment, provide only provider API keys (rotate them if you later suspect misuse), and verify the publisher/source (this package appears to be a local project; no upstream homepage was provided).

Like a lobster shell, security has layers — review code before you run it.

latestvk9709p6d7zbcqmprqkqp6nqy6h85ep6m
299downloads
0stars
2versions
Updated 7h ago
v0.1.1
MIT-0
@x-rayluan
latest
Download

AI Search Rank Tracker

Run the tracker against a prompt set and produce a visibility report.

Inputs

Use a JSON file like prompts/starter.json:

{
  "brand": "clawlite.ai",
  "aliases": ["clawlite", "claw lite", "clawlite ai"],
  "prompts": [
    "best openclaw alternative",
    "easiest openclaw installer",
    "openclaw for beginners"
  ],
  "engines": ["chatgpt", "claude", "gemini", "perplexity"]
}

Install

Use the one-click bootstrap:

bash scripts/install.sh

Run

node src/index.js prompts/starter.json

Outputs

Find reports in output/:

  • JSON report
  • Markdown report
  • CSV report

Prompt database

Use the built-in prompt database in prompt-db/ for larger GEO / AI SEO scans.

Included categories:

  • SaaS
  • AI tools
  • Developer tools
  • OpenClaw ecosystem
  • Local AI tools

Each record includes category and commercial metadata so prompt sets can be grouped by intent, journey stage, and buyer value.

Notes

  • Configure keys in .env
  • OpenAI-compatible backends are supported
  • Anthropic is supported
  • OpenRouter / EZRouter-compatible setups can be wired through environment variables
  • Per-engine failures do not fail the whole batch

Comments

Loading comments...