Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
botlearn-strategy-intel
v1.0.3Scrapes public data to deliver a structured strategic analysis of a company using the HBS & TikTok Where to Play / How to Win / What's the Risk framework.
⭐ 0· 71·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (scrape public data via Apify and produce a strategy write-up) matches the included scripts (apify_scraper.py + run.py). However the registry/metadata lists no required environment variables or primary credential even though both the documentation and the code depend on APIFY_API_KEY and either ANTHROPIC_API_KEY or OPENAI_API_KEY. That mismatch is an incoherence in the manifest.
Instruction Scope
SKILL.md instructs the agent/user to run python3 scripts/run.py {company_name} (or with 'deep'), which triggers Apify scraping and then an LLM call. The instructions and scripts only read partner_playbook.md and environment variables and call external APIs (Apify and an LLM provider). They do not access unrelated local files or hidden endpoints. This is within the stated scope, but the runtime will transmit scraped public data to Apify and to the configured model provider (expected but worth noting).
Install Mechanism
There is no install spec in the registry (instruction-only), but the skill ships Python scripts that require 'requests' and optionally the 'anthropic' or 'openai' client libraries. The README suggests pip installing dependencies, but the registry doesn't declare them—this missing dependency/install info is a usability and transparency issue rather than an active code-download risk. No external arbitrary downloads or archive extracts are present.
Credentials
The code requires APIFY_API_KEY and either ANTHROPIC_API_KEY or OPENAI_API_KEY to operate; those credentials are appropriate for the skill's purpose (scraping via Apify and calling an LLM). However the registry metadata declares no required env vars or primary credential, which is disproportionate/incoherent. The skill will send scraped public data to Apify and to the chosen model provider, so users should be aware what data those services will receive.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills or system-wide settings, and does not write persistent agent configuration. Autonomous invocation is allowed (platform default) but not combined with any high-privilege behaviors.
What to consider before installing
This skill appears to do what it says (scrape public sources via Apify and synthesize strategy using an LLM), but the package/registry metadata is incomplete and therefore suspicious. Before installing:
- Expect to set APIFY_API_KEY and an LLM key (ANTHROPIC_API_KEY or OPENAI_API_KEY). The registry claims no required env vars—confirm and correct that mismatch before trusting automated installs.
- Review the included scripts locally. They POST scraped queries to apify.com (normal for this use) and will forward scraped content to your configured LLM provider; don't pass private or confidential company data through it.
- Install and run the scripts manually in a safe environment to verify behavior (pip install requests plus anthropic/openai SDKs as needed). Inspect network logs if possible.
- Use limited-scope or throwaway API keys if you want to test without exposing high-privilege credentials, and verify the publisher identity (source is unknown).
If you need this functionality and trust the code after inspection, it's reasonable to use — but the manifest should be fixed to declare required env vars and dependencies before broad deployment.Like a lobster shell, security has layers — review code before you run it.
latestvk970w060vb9g5108qqa8d0sba183k3xt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.