Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ecom Manager D2c
v1.0.3AI ecommerce operations manager
⭐ 1· 292·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims broad integrations (Shopify, Google Ads, Meta, WhatsApp, Google Analytics, competitor scraping, etc.) but the registry metadata lists no required environment variables, credentials, or config paths. For those integrations you would normally expect API keys, OAuth tokens, or account IDs — their absence is incoherent.
Instruction Scope
The SKILL.md and supporting docs instruct the agent to perform actions that involve external systems (scrape competitor sites, read/send WhatsApp messages, manage ad campaigns, update store data). The runtime instructions say integration tokens should be stored securely and requested if missing, but they do not specify where/how tokens are provided or constrained, leaving execution behavior and data flows ambiguous.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers immediate installation risk.
Credentials
No environment variables or primary credential are declared despite clear need for multiple service credentials. A legitimate ecommerce automation tool would require at least API tokens for store platforms and ad/messaging services; the lack of declared required secrets is disproportionate and unexplained.
Persistence & Privilege
The skill is not always-on and does not request elevated platform-wide privileges in the metadata. There is no explicit persistence or modification of other skills/configs described.
What to consider before installing
Before installing, ask the publisher where and how authentication is handled and what exact tokens/permissions will be requested. Do not provide high-privilege admin keys without understanding storage and access controls. Because the skill will interact with ad accounts, stores, messaging platforms, and may scrape competitor sites, verify legal/ToS implications and limit access to a test account first. Confirm who operates the skill (no homepage/source listed) and prefer vendors that declare required env vars and show how secrets are stored. If you proceed, grant least privilege credentials, require explicit confirmations for destructive actions, enable auditing/logging, and monitor traffic for unexpected data exfiltration.Like a lobster shell, security has layers — review code before you run it.
latestvk979gh6fgyvwxeekzybaa4m9z5830yf7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.