ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fda Drug Safety Monitor

v1.0.0

Free API for FDA drug safety monitoring and enforcement actions. No subscription. Monitor recalls, safety alerts, drug name search. Government data, pay-per-...

0· 10·0 current·0 all-time
by@ntriq-gh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description/SKILL.md advertise an FDA drug safety monitor (and an x402 API), but the repository contains a full Trustpilot review scraper (package.json, README, many handler modules, BASE_URL=https://www.trustpilot.com). Only src/main.js actually queries the FDA API; the rest of the codebase and README are unrelated. Declaring the skill as 'instruction-only' while bundling many Node files and heavy scraping dependencies is inconsistent.
!
Instruction Scope
SKILL.md instructs use of an external x402 API endpoint, yet the included code will (if executed) perform Trustpilot scraping and use Apify Actor APIs (pushData, charge). The README and code describe scraping reviewer names, domains, and other PII-like fields; SKILL.md does not disclose this. The runtime instructions and bundled code therefore permit actions (web scraping, dataset pushes, billing) outside what the user-facing description suggests.
!
Install Mechanism
The package declares many npm dependencies (apify, crawlee-related packages) and a package-lock, but the skill metadata states 'No install spec / instruction-only'. That mismatch is suspicious: installing or running this skill will require npm/node and will pull many packages, yet the registry metadata gives no install guidance. Absence of an install spec hides a moderate installation risk surface.
!
Credentials
The skill declares no required env vars, but the code uses the Apify SDK (Actor.init/getInput/pushData/charge). Running these may rely on Apify platform credentials (e.g., APIFY_TOKEN) or incur billing via Actor.charge. The code can accept a proxyUrl in input and dynamically loads https-proxy-agent. The lack of declared environment/credential requirements is therefore not proportional to what the code actually needs and can do.
Persistence & Privilege
always:false (good). Autonomous invocation is allowed (default) — combined with the other inconsistencies this increases risk because the skill can run by itself and call Apify APIs (including pushData and charge). The skill does not request global agent config changes, but it will write results to Apify datasets and attempt micropayment charges when executed.
Scan Findings in Context
[no_pre_scan_findings] unexpected: The static pre-scan reported no injection signals, but that is not reassuring here: the primary issue is semantic mismatch (FDA description vs. Trustpilot scraper code) and missing install/credential declarations rather than obvious regex-detectable secrets or injections.
What to consider before installing
Do not install this skill until the maintainer clarifies what it actually does. Specific concerns: (1) The public description/README/SKILL.md claim an FDA data API, but the repository mostly contains a Trustpilot scraper — this is a clear mismatch. (2) The bundle includes many npm dependencies and an Apify actor (Actor.init/pushData/charge). Running it may require Node/Apify credentials and could push data to Apify datasets or attempt billing via Actor.charge. (3) The package metadata claims 'instruction-only' yet ships executable code — that hides installation steps and risks. Actions to take before proceeding: inspect/verify the author and homepage, request a corrected SKILL.md that accurately describes behavior, confirm whether running this will use your Apify account or require APIFY_TOKEN, run the code in a sandbox and review network calls (trustpilot.com and api.fda.gov and x402.ntriq.co.kr), and avoid providing platform credentials or installing on production systems until the mismatches are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk976p5tpqn8v32a0xb3fhmzbsh8422zk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Fda Drug Safety Monitor

Free API for FDA drug safety monitoring and enforcement actions. No subscription. Monitor recalls, safety alerts, drug name search. Government data, pay-per-use.

Usage

Available on Apify Store and via x402 micropayments.

Service Catalog

curl https://x402.ntriq.co.kr/services

Features

  • AI-powered analysis
  • JSON structured output
  • Pay-per-use pricing

Powered by

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…