ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Search Rank Tracker

v0.1.0

Track whether ChatGPT, Claude, Gemini, and Perplexity recommend a startup or brand across a prompt set. Use when you need AI search visibility tracking, GEO...

0· 185·0 current·0 all-time
by@x-rayluan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: dependencies (openai, @anthropic-ai/sdk) and code files indicate the tool queries ChatGPT/OpenAI and Anthropic (Claude). Requesting those SDKs is proportionate to the stated purpose. However, the skill metadata declares no required environment variables or primary credential while the code/output shows it expects API keys (e.g., ANTHROPIC_API_KEY, OpenAI-compatible keys). That mismatch is unexpected and reduces transparency.
Instruction Scope
SKILL.md instructions are straightforward: run the installer and run node src/index.js with a prompts JSON. It tells the user to 'Configure keys in .env' and supports OpenAI/Anthropic/OpenRouter-style setups. The runtime scripts read/write prompts/starter.json and create a .env from .env.example. The instructions do not instruct indiscriminate file reads or network exfiltration beyond calling LLM APIs, but they implicitly rely on secrets in .env that are not listed in the registry metadata.
Install Mechanism
No external binary downloads or obscure URLs; install.sh runs npm install and copies .env.example to .env. Dependencies are pulled from npm (openai, @anthropic-ai/sdk, dotenv) which is a standard, traceable mechanism. No high-risk download/extract operations detected in the provided files.
!
Credentials
The code and outputs show it expects API credentials (Missing ANTHROPIC_API_KEY and OpenAI quota errors). Those credentials are proportionate to purpose (querying LLMs), but the registry metadata lists no required env vars. The missing declaration reduces transparency and could lead users to accidentally provide credentials to a package they didn't realize needed them.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide agent settings, and only creates/updates files within its repo (copies .env.example to .env and optionally edits prompts/starter.json). This behavior is normal for a local tool.
Scan Findings in Context
[uses-anthropic-sdk] expected: package.json / package-lock include @anthropic-ai/sdk which is expected for querying Claude. This is consistent with the described engines.
[uses-openai-sdk] expected: package.json / package-lock include openai which is expected for ChatGPT/GPT-compatible engines.
[reads-writes-env-file] expected: scripts/install.sh copies .env.example to .env and SKILL.md instructs configuring keys in .env. Creating/reading .env is expected, but the registry metadata did not list the env vars.
[runtime-logs-missing-keys] expected: Output files show 'Missing ANTHROPIC_API_KEY' and OpenAI 429 errors — confirms the code expects live credentials and makes network calls to the provider APIs.
What to consider before installing
This skill implements an LLM-based visibility tracker and legitimately needs API keys for the engines it queries (OpenAI, Anthropic, possibly routing proxies). That is proportionate to its purpose, but the registry metadata incorrectly lists no required environment variables — so the install will create/expect a .env file containing your API keys. Before installing: 1) Inspect the .env.example to see what keys are required and do not use high-privilege or shared production credentials; create a dedicated/limited key if possible. 2) Review src/* files (index.js, engines.js, parser.js) yourself to confirm which endpoints are called and whether any external URLs are used beyond vendor SDKs. 3) Run npm install and the script in an isolated environment (or container) if you have any doubt. 4) Because the installer copies .env.example to .env, it will not overwrite an existing .env; still verify contents before running. If the publisher updates the registry metadata to explicitly list the required env vars (OPENAI_API_KEY, ANTHROPIC_API_KEY, or any router keys) and documents exactly which services are contacted, my assessment would move closer to benign; as-is the missing metadata is a transparency concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c06y8tk590rj83vpw3wpwmx82y8se

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments