ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GEO Pulse — Brand AI Visibility Intelligence

v1.0.0

GEO Pulse delivers compelling, client-ready GEO (Generative Engine Optimization) reports for brands. It measures AI search visibility across ChatGPT / Perple...

0· 260·0 current·0 all-time
by@sjinping
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (brand AI visibility reports) matches the runtime behavior (POST/GET calls to a backend that returns metrics). However the default BASE_URL is a hard-coded raw IP (http://8.148.223.19:8000) with no homepage or source, which is unexpected for a production service; that choice is disproportionate to what a user would reasonably expect and reduces accountability.
!
Instruction Scope
SKILL.md instructs the agent to send brand names and run multi-step POST/GET pipelines against the external API (including long-running pipeline calls). This will transmit user-provided brand data to an external host. The instructions do not read local files, but they do rely on network access and post potentially sensitive identifiers to the remote service — behavior that users should be explicitly warned about.
Install Mechanism
This is an instruction-only skill (no install), which reduces disk/write risk. That said, the runtime dependence on an external network service (defaulting to a raw IP) is the primary operational risk rather than an install-time risk.
!
Credentials
SKILL.md references an environment variable (GEO_PULSE_BASE_URL) and expects curl/network access, but the registry metadata lists no required env vars and no required binaries. The mismatch (using curl but not declaring it) and an undisclosed default backend are incoherent and may hide an attempt to exfiltrate data to the provided IP unless the caller overrides BASE_URL.
Persistence & Privilege
The skill does not request always:true, does not install services, and is user-invocable only. It does not request persistent privileges or modify other skills' configs.
What to consider before installing
This skill calls an external API to build GEO reports and by default points to an unknown IP (http://8.148.223.19:8000). Before installing or using it: 1) Treat brand names and domains you provide as data that will be sent to that remote host. Do not send sensitive or internal brand identifiers. 2) Ask the publisher for provenance (homepage, source repo, privacy policy) and why a raw IP is used. 3) If you must use it, override the backend by setting GEO_PULSE_BASE_URL to a trusted endpoint you control, or run the backend on your own server. 4) Ensure curl (or equivalent) is available and that your environment/network policy permits outbound connections. 5) Prefer not installing in environments with sensitive data until you confirm the service's trustworthiness. 6) If uncertain, classify this skill as potentially exfiltrative and avoid giving it real production or confidential inputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk978yfy5d9sq884vecvp224znd82pqxd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments