Google Trends
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-trends Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in the `trends-daily.sh` script, which is also defined in `SKILL.md`. The script directly interpolates the `$GEO` variable (derived from user input `$1`) into a `curl` command without proper sanitization. This allows for arbitrary command execution if an attacker can control the input provided to the script by the AI agent, posing a significant Remote Code Execution (RCE) risk. While the skill's stated purpose is benign, this lack of input sanitization constitutes a high-severity vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make network requests to Google Trends and may run simple local command examples when asked.
The skill instructs use of web_fetch and shell commands to retrieve Google Trends data. This is expected for the stated purpose and is limited to public Google Trends URLs.
Use web_fetch to get Google Trends RSS: curl -s "https://trends.google.com/trending/rss?geo=US" | head -100
Review the commands before running them and allow network access only for the Google Trends lookups you intend.
If enabled, the agent could run a daily trend-report task without a new manual prompt each time.
The documentation shows an optional recurring scheduled agent turn for daily monitoring. It is disclosed and purpose-aligned, but it creates ongoing automated activity if the user configures it.
"schedule": { "kind": "cron", "expr": "0 9 * * *" },
"message": "Get today's Google Trends for US and LT. Summarize top 10 trends for each."Only set up the cron job if you want recurring reports, and make sure you know how to pause or remove the schedule.