Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GEO Tracker
v1.0.0Track and optimize brand visibility across AI search engines (ChatGPT, Perplexity, Gemini, Google AI Overview, Claude). Use when monitoring brand mentions in...
⭐ 0· 404·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to track brand visibility across multiple AI engines and the included Python scripts implement exactly that (OpenAI, Perplexity, Google Generative AI, Anthropic). However, the registry metadata lists no required environment variables or primary credential despite the SKILL.md and code requiring multiple API keys (OPENAI_API_KEY, PERPLEXITY_API_KEY, GOOGLE_API_KEY, ANTHROPIC_API_KEY). That metadata omission is incoherent and should be corrected; otherwise the skill's manifest understates what it needs.
Instruction Scope
SKILL.md gives concrete instructions to run the provided scripts, set API keys, and schedule audits. The runtime instructions do not request unrelated filesystem reads or other credentials beyond the provider API keys. One minor inconsistency: SKILL.md mentions a 'Google AI Overview' web_search tool, but the code implements only API calls (no explicit web scraping/web_search implementation for a separate 'Google AI Overview').
Install Mechanism
This is instruction-only with Python scripts and a standard pip dependency list (openai, anthropic, google-generativeai). There is no download-from-URL or archive extraction; installing Python packages via pip is expected for this use case.
Credentials
The skill legitimately needs API keys for each engine it queries, so multiple secret-like env vars are reasonable. The problem is the published registry metadata declares no required env vars while SKILL.md and the code expect several sensitive keys. This mismatch could mislead users into installing without preparing credentials. Also, supplying provider API keys gives the code the ability to query those services (and incur billing), so users should use limited-scope or test keys where possible.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system-wide configuration, and only writes a report file when the user requests an output path. It uses normal agent invocation semantics and does not demand elevated or persistent platform privileges.
What to consider before installing
This skill's scripts do what the description says, but the registry metadata fails to list the API keys the code actually requires — treat that as a red flag. Before installing: (1) view and review the included scripts (you already have them) and verify you understand the network calls; (2) do not provide production API keys immediately — test with limited-privilege or dummy keys and run in an isolated virtual environment; (3) be aware that supplying provider keys lets the tool make API calls that may incur charges and reveal usage to those providers; (4) confirm the skill's source/provenance (there's no homepage and the owner ID is opaque); and (5) if you plan to run scheduled audits, ensure the scheduling agent runs in a controlled environment with appropriate network and billing limits. If the registry metadata is later corrected to declare the required env vars, the coherence concerns would be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97dn68wm9vc2phfhpee6vd1bn81zfyj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.