ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apify Google Maps Scraper

v0.1.1

This skill should be used when the user asks to "scrape Google Maps", "find businesses on Google Maps", "get business listings", "extract business data", "fi...

0· 0·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the instructions: the skill invokes an Apify actor to scrape Google Maps and (optionally) business websites for emails. That capability is coherent with the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to call api.apify.com endpoints (start runs, poll run status, fetch dataset items) and to set/use APIFY_API_TOKEN. All network calls are to Apify (and Google Maps URLs supplied as inputs). There is no instruction to read unrelated local files, but the instructions do require an environment credential that is not declared in the metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no on-disk installation or third-party package download risk in the bundle itself.
!
Credentials
SKILL.md requires APIFY_API_TOKEN (sensitive credential granting access to the user's Apify account), but the skill metadata lists no required environment variables nor a primary credential. The token requirement is appropriate for an Apify-based scraper but its absence from declared requirements is an incoherence and a risk if users are not warned.
Persistence & Privilege
The skill is not always-enabled and does not request system config paths or other long-term privileges; autonomous invocation is allowed but is the platform default.
What to consider before installing
Before installing, note that the runtime instructions require APIFY_API_TOKEN even though the registry metadata doesn't declare it. If you plan to use this skill: 1) verify the actor owner and the actor 'futurizerush/google-maps-scraper' on Apify to ensure you trust it; 2) create a scoped/restricted Apify API token (not your main account token) and never share it publicly; 3) be aware runs may crawl external websites to extract emails (possible privacy/ToS/legal implications) and may incur Apify usage costs; 4) confirm the registry metadata is updated to declare APIFY_API_TOKEN, and consider revoking or rotating the token after use. If any of these checks fail or you cannot trust the remote actor, do not provide your token.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk9706cqs5bcxj9aw4q84qe7p5h84m9w5apifyvk9706cqs5bcxj9aw4q84qe7p5h84m9w5businessvk9706cqs5bcxj9aw4q84qe7p5h84m9w5emailvk9706cqs5bcxj9aw4q84qe7p5h84m9w5google-mapsvk9706cqs5bcxj9aw4q84qe7p5h84m9w5latestvk9706cqs5bcxj9aw4q84qe7p5h84m9w5lead-generationvk9706cqs5bcxj9aw4q84qe7p5h84m9w5scrapingvk9706cqs5bcxj9aw4q84qe7p5h84m9w5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments