ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Project Ghost

v2.0.0

Web reading layer for AI agents. Convert any public URL into structured intelligence — entities, business intent, confidence score — in one API call.

0· 131·0 current·0 all-time
by@sid890-cpu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (web reading layer) aligns with the runtime instructions (POST a URL to an external distill API and receive structured output). However the registry metadata claims no required environment variables while SKILL.md declares a required GHOST_API_KEY — an internal inconsistency in the declared capability/requirements.
Instruction Scope
SKILL.md instructs only to set an API key and POST a public URL to the service; it does not instruct reading local files, shell history, or other unrelated system state. It does, however, direct the agent to transmit the full content (or an extracted form) of arbitrary URLs to a third-party API — expected for this purpose but worth noting for privacy.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill bundle itself. Low install risk.
!
Credentials
The SKILL.md requires a single secret GHOST_API_KEY (reasonable for an external API), but the registry metadata lists no required env vars — inconsistency that could confuse users. Also the flow requires creating an account/email to obtain the key (privacy/data collection concern). The single API key is proportionate to the stated function, but verify what the external service does with submitted page content.
Persistence & Privilege
The skill does not request always:true and does not modify system-wide settings. It uses normal autonomous invocation defaults. No elevated persistence or cross-skill config access is requested.
What to consider before installing
This skill behaves like a typical web-reading API: it will send URLs (and the page content it extracts) to a third-party service in exchange for structured output, and SKILL.md requires a GHOST_API_KEY even though the registry metadata omitted that. Before installing: 1) Verify the API endpoint and owner — check the linked GitHub repo (https://github.com/Sid890-cpu/project-ghost) and confirm the code and maintainer identity. 2) Confirm the API domain you will be sending pages to (SKILL.md uses project-ghost-production.up.railway.app and project-ghost-lilac.vercel.app) and read its privacy/data-retention policy. 3) Avoid sending private or internal URLs or confidential documents to the service until you’ve confirmed its handling of submitted content. 4) Consider issuing a scoped/test API key or using a throwaway account for initial testing. 5) If the registry metadata is used by your agent to auto-configure secrets, correct the missing GHOST_API_KEY entry or decline install until it's clarified.

Like a lobster shell, security has layers — review code before you run it.

agentsvk9734xfavpw46kpwzsp1k1pdn9836zk8apivk9734xfavpw46kpwzsp1k1pdn9836zk8data-extractionvk9734xfavpw46kpwzsp1k1pdn9836zk8intelligencevk9734xfavpw46kpwzsp1k1pdn9836zk8latestvk9734xfavpw46kpwzsp1k1pdn9836zk8latestwebvk9734xfavpw46kpwzsp1k1pdn9836zk8researchvk9734xfavpw46kpwzsp1k1pdn9836zk8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments