ClawHub

Octolens

v1.0.0

Query and analyze brand mentions from Octolens API. Use when the user wants to fetch mentions, track keywords, filter by source platforms (Twitter, Reddit, GitHub, LinkedIn, etc.), sentiment analysis, or analyze social media engagement. Supports complex filtering with AND/OR logic, date ranges, follower counts, and bookmarks.

4· 2.6k·7 current·7 all-time
by@garrrikkotua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe querying Octolens mentions. All included scripts (fetch-mentions, query-mentions, list-keywords, list-views, advanced-query) call https://app.octolens.com/api/v1 endpoints and implement the documented filter parameters — capabilities align with the stated purpose.
Instruction Scope
SKILL.md and bundled scripts limit actions to making authenticated HTTP requests to the Octolens API and printing results. There are no instructions to read unrelated files, access other system configuration, or post data to unexpected endpoints.
Install Mechanism
There is no install spec. The skill is instruction-only with bundled Node.js scripts; nothing in the manifest pulls remote archives or executes installers. This is low install risk.
!
Credentials
The runtime clearly requires an Octolens API key (SKILL.md: 'Always ask the user for their API key' and all scripts accept an API key argument), but the registry metadata lists no required environment variables or primary credential. That mismatch between declared metadata and the actual authentication requirement is an incoherence and reduces trust. Additionally, the skill publisher and homepage are unknown, so you cannot easily verify the API owner or permission scopes for keys you provide.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify system-wide settings. It runs as-needed and requires user-supplied API keys at runtime (via arguments or prompts).
What to consider before installing
The skill's code matches its description — it only queries https://app.octolens.com/api/v1 and prints results — but the package metadata failing to declare the required API credential is a red flag. Before installing: - Verify the Octolens service and domain (app.octolens.com) are legitimate and that you trust the publisher (no homepage or known owner is listed). - Provide an API key only when necessary and consider creating a key with limited scope/permissions and an expiration if the service supports it. - Prefer passing the API key as a command-line argument or ephemeral prompt rather than storing it permanently in agent config; confirm how your agent stores secrets. - Review the included scripts yourself (they are short and readable) to confirm there are no hidden endpoints or telemetry; the provided files only contact the documented API. Because the metadata does not declare the required credential, treat this skill as suspicious until you confirm the publisher and how API keys will be handled/stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk973qnmbz45xpg44ev7r7e66s57zz14z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments