ℹ
Purpose & Capability
Name/description map to the included scripts and API calls (brand diagnosis, knowledge base upload, content generation). The skill expects an API key for api.aidso.com which is proportionate to the stated purpose. Minor inconsistencies exist in documented endpoint paths (see instruction_scope) but overall required capabilities align with the stated purpose.
!
Instruction Scope
SKILL.md and references instruct the agent to check/bind an API key and to call AIDSO APIs only. However: (1) the binding flow explicitly states it will 'directly save' whatever the user provides without pre-validation; (2) the docs and code have inconsistent endpoint paths (e.g., content API listed as /openapi/skills/run_realtime_report in references and /openapi/skills/geo_content/generate in scripts; some docs show double slashes); (3) README suggests installing packages (markdown, weasyprint) not used by the included polling scripts. The direct-save behavior and documentation mismatches are sloppy and raise operational/privacy concerns.
ℹ
Install Mechanism
There is no formal install spec (instruction-only), so little is written to disk during install. The package includes Python scripts that require python3 (declared in _meta.json). README suggests 'pip install requests markdown weasyprint' but scripts only import requests; the extra suggested packages appear unnecessary. No remote downloads or unusual install URLs are present.
✓
Credentials
The only credential surface is an API key for the AIDSO GEO service (AIDSO_GEO_API_KEY marked optional). Requesting an API key is proportional to the skill's networked functionality. No unrelated credentials or system config paths are requested.
!
Persistence & Privilege
The skill explicitly instructs saving the user's API key into openclaw.json (a persistent agent config) and to continue executing requests using that saved key. The binding flow does not pre-validate or sanitize the key and forbids echoing it back, which increases the chance that a secret will be stored plaintext. While writing its own credential into agent config can be legitimate, the unconditional 'direct save' without validation and lack of guidance about storage security is a notable privacy/persistence risk.
What to consider before installing
This skill appears to do what it says (GEO diagnostics, knowledge-base uploads, and content generation via api.aidso.com), but there are a few red flags to consider before installing:
- It asks you to provide an AIDSO API key and instructs the agent to save that key directly into openclaw.json without validating it first. That means your key could be stored persistently (likely plaintext) in the agent config. Only proceed if you trust the AIDSO provider and understand where openclaw.json is stored and who can access it.
- There are multiple minor inconsistencies in the docs vs code (different content endpoint paths, stray double-slashes in URLs, README advising packages not used by the scripts). These look like sloppy documentation rather than active malicious behavior, but they reduce confidence.
- The skill will send whatever API key you supply to api.aidso.com in x-api-key headers as part of normal operation. If you prefer not to have the skill persist the key, consider providing the key via an environment variable (AIDSO_GEO_API_KEY) under your control and confirm whether the platform allows preventing permanent storage.
What you can do before installing:
1) Verify the skill publisher / homepage (https://geo.aidso.com) and confirm trustworthiness and privacy policy.
2) Ask the publisher to (a) add pre-validation of API keys before saving, (b) avoid unconditional storing of secrets or at least advise on storage protection, and (c) fix endpoint/documentation inconsistencies.
3) If you must use it, prefer supplying the API key only in an environment variable scope you control (AIDSO_GEO_API_KEY) and audit openclaw.json after first use to confirm whether the key was saved and where.
If you want, provide the path where openclaw.json would be stored on your system or ask the skill author for a version that only uses ephemeral environment variables and performs a validation check before persisting keys; that would raise confidence to 'benign.'
