ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Affiliate Skills

v1.0.0

Live affiliate program data from list.affitor.com. Search programs, compare commissions, check cookie days, find top performers. Use when researching affilia...

0· 242·0 current·0 all-time
by@sonpiaz

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sonpiaz/affiliate-skills.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Affiliate Skills" (sonpiaz/affiliate-skills) from ClawHub.
Skill page: https://clawhub.ai/sonpiaz/affiliate-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install affiliate-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install affiliate-skills
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (live affiliate program data from list.affitor.com) match the included API.md, CLI tool sources (tools/src), and many SKILL.md files for affiliate-focused functions. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
Runtime instructions tell the agent to check for a local compiled binary, ask the user to permit a one-time build (./setup), and then run a persistent Bun-based daemon that uses /tmp/affiliate-check.json and listens on localhost ports 9500–9510. These actions are within scope for a CLI helper, but they involve executing local build and server commands and creating a state file in /tmp — review the setup script and CLI source before running.
!
Install Mechanism
Registry lists no formal install spec, but SKILL.md's setup step may run './setup' and, if Bun is missing, suggests running 'curl -fsSL https://bun.sh/install | bash'. Piping remote install scripts is a high-risk pattern; while bun.sh is a known runtime, executing an unattended remote installer should be treated cautiously and inspected first.
Credentials
No required environment variables are declared; SKILL.md documents an optional AFFITOR_API_KEY for higher API limits, and code examples use process.env.AFFITOR_API_KEY. The requested environment access is limited and proportional to the stated purpose.
Persistence & Privilege
The skill runs a local persistent daemon with an in-memory cache and a state file under /tmp and auto-shutdown after idle. 'always' is false and the skill does not request system-wide or other-skills' configuration changes. Persistent local server behavior is expected for this CLI design.
Scan Findings in Context
[prompt-injection-ignore-previous-instructions] expected: A prompt-injection pattern (e.g., 'ignore-previous-instructions') was detected in SKILL.md content. In this repo the string appears inside CLAUDE.md as a defensive rule (explicitly telling agents to ignore instruction-like text coming from untrusted API/web content). This use is expected and is a safety guideline, not an attack.
Assessment
This package appears to be what it says: a collection of affiliate-marketing skills with a small local CLI that queries list.affitor.com. Before installing or running anything: 1) Inspect the repository's setup script (./setup) and any scripts it calls; do NOT run remote installers blindly (the README/SKILL.md suggests 'curl | bash' for Bun — instead inspect the bun.sh installer or install Bun from an OS package or your preferred method). 2) Inspect the CLI source (tools/src) for any unexpected network endpoints or data-sending behavior beyond calls to list.affitor.com. 3) If you run the daemon, be aware it listens on localhost and writes /tmp/affiliate-check.json; run it in a confined environment (container or VM) if you're cautious. 4) Only provide AFFITOR_API_KEY if you trust the code; it is optional and only needed for higher query limits. 5) If you plan to let an agent autonomously invoke the 'Bash' allowed-tool, understand that gives it permission to run the same build/run commands described here — require user approval before performing the one-time build/run step.
tools/src/cli.ts:80
Environment variable access combined with network send.
tools/src/server.ts:26
Environment variable access combined with network send.
!
tools/src/cli.ts:33
File read combined with network send (possible exfiltration).
!
CLAUDE.md:48
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e37kqbwm7s2dzg35ryfp0v1832pk4
242downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
@sonpiaz
latest
Download

affiliate-check: Live Affiliate Program Data

Query affiliate program data from list.affitor.com in real-time. Persistent daemon with in-memory cache — first call auto-starts the server, every subsequent call is instant.

SETUP (run this check BEFORE any affiliate-check command)

Before using any command, find the skill and check if the binary exists:

# Check project-level first, then user-level
if test -x .claude/skills/affiliate-skills/tools/dist/affiliate-check; then
  A=.claude/skills/affiliate-skills/tools/dist/affiliate-check
elif test -x ~/.claude/skills/affiliate-skills/tools/dist/affiliate-check; then
  A=~/.claude/skills/affiliate-skills/tools/dist/affiliate-check
else
  echo "NEEDS_SETUP"
fi

Set A to whichever path exists and use it for all commands.

If NEEDS_SETUP:

  1. Tell the user: "affiliate-check needs a one-time build (~10 seconds). OK to proceed?"
  2. If approved, run: cd <SKILL_DIR> && ./setup
  3. If bun is not installed: curl -fsSL https://bun.sh/install | bash

Quick Reference

A=~/.claude/skills/affiliate-skills/tools/dist/affiliate-check

# Search programs
$A search "AI video tools"
$A search --recurring --tags ai

# Top programs
$A top
$A top --sort trending

# Program details
$A info heygen

# Compare programs side-by-side
$A compare heygen synthesia

# Server management
$A status
$A stop

Commands

Search

affiliate-check search <query>                    Search by name/keyword
affiliate-check search --recurring                Filter recurring commissions
affiliate-check search --tags ai,video            Filter by tags
affiliate-check search --min-cookie 30            Min cookie days
affiliate-check search --sort new                 Sort: trending | new | top
affiliate-check search --limit 20                 Result limit

Discovery

affiliate-check top                               Top programs by stars
affiliate-check top --sort trending               Trending programs
affiliate-check top --sort new                    Newest programs

Details

affiliate-check info <name>                       Detailed program card
affiliate-check compare <name1> <name2> [name3]   Side-by-side comparison

Server

affiliate-check status                            Uptime, cache, API key status
affiliate-check stop                              Shutdown daemon
affiliate-check help                              Full help

Environment

AFFITOR_API_KEY    Optional. API key from list.affitor.com
                   Without: free tier (max 5 results per query)
                   With: unlimited access
                   Get one: list.affitor.com/settings → API Keys (free)

Architecture

  • Persistent Bun daemon on localhost (port 9500-9510)
  • In-memory cache with 5-minute TTL
  • State file: /tmp/affiliate-check.json
  • Auto-shutdown after 30 min idle
  • Server crash → auto-restarts on next command

Comments

Loading comments...