ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

App Store Optimization

v2.1.1

App Store Optimization (ASO) toolkit for researching keywords, analyzing competitor rankings, generating metadata suggestions, and improving app visibility o...

4· 2.4k·13 current·13 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md workflows, and included Python modules (keyword_analyzer, competitor_analyzer, metadata_optimizer, aso_scorer, ab_test_planner, localization_helper, review_analyzer, launch_checklist) are coherent with an ASO toolkit. However, the skill claims capabilities that normally require external data (app store metadata, rankings, search volume) yet does not declare any required API keys, credentials, or explain the data source. That omission is unexpected and reduces clarity about how the tool obtains live store data.
!
Instruction Scope
SKILL.md and HOW_TO_USE explicitly instruct usage of the included Python scripts for research/analysis. The instructions request user-provided data in many cases (reviews, metrics, competitor app names), which is appropriate, but they do not explain how the scripts fetch live store metadata/rankings or search volumes. The runtime instructions assume the agent or user will run the Python modules but do not list required Python, libraries, or run commands. Running unreviewed scripts that may perform network access or scraping is a meaningful scope risk.
Install Mechanism
There is no install spec (instruction-only from the registry perspective) but the package ship includes eight sizable Python modules and multiple docs. No requirements.txt, no dependency list, and no platform install steps for Python packages are provided. That makes runtime behavior unclear (dependencies may be missing) and increases the chance someone will execute code without understanding its external dependencies or side effects. There is no download-from-URL risk in the registry metadata itself.
Credentials
The skill requests no environment variables or credentials, which is good from a secrets-exfiltration standpoint. At the same time, many of the advertised features (live rankings, search volume estimates, automated competitor extraction) typically require network access and/or API credentials; the SKILL.md instead leans on the user supplying data or the scripts performing their own fetches, but it does not state which approach is used. This mismatch (complex capability but no declared data-source credentials) is an unexplained gap.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config changes. It is user-invocable and allows normal autonomous invocation. There is no evidence in the metadata that it modifies other skills or system settings.
What to consider before installing
This skill appears to actually implement an ASO toolkit (the Python scripts line up with the advertised features), but there are important unknowns you should resolve before installing or executing anything: 1) Ask the author how the scripts obtain live App Store / Google Play data and search-volume estimates. If they require API access, request explicit instructions and which credentials are needed. 2) Request a requirements.txt or dependency list and run the code only in a controlled environment (container or VM). 3) Review the Python scripts for network calls (search for requests, urllib, selenium, google-play-scraper, playwright, or other scraping libraries) and any hard-coded endpoints before running. 4) If you will run the scripts, do so offline / sandboxed first and with non-sensitive test data; do not paste production credentials unless you understand and trust the code. 5) If you need fully automated live scraping or API access, prefer a skill that documents required credentials/third-party services clearly. If you want, I can scan the included Python files for network calls, credential reads, or suspicious patterns and summarize what they do.

Like a lobster shell, security has layers — review code before you run it.

latestvk975b5c2nc18488j52nsdjxhhh82k80b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments