ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

trendyol-admin

v1.0.1

Comprehensive management of Trendyol marketplace via API v2.0. Includes product lifecycle (create, update, delete, archive), stock/price management, order pr...

2· 714·0 current·0 all-time
by@awelab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is presented as an API reference/knowledge base for Trendyol marketplace integration and the included SKILL.md + api_reference.md contain endpoints, auth, headers, payloads and rules consistent with that purpose. Nothing in the package requests unrelated cloud or system credentials.
Instruction Scope
Runtime instructions are limited to constructing Basic Auth headers, required request headers (User-Agent, storeFrontCode), using the listed base URLs, and executing requests via curl or inline code. The instructions do not ask the agent to read arbitrary local files, other credentials, or to transmit data to unexpected endpoints.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk footprint and there is no archive-download or package installation to evaluate.
Credentials
The documentation describes use of API_KEY / API_SECRET (Basic Auth) and sellerId/User-Agent values but the skill metadata does not declare any required environment variables or a primary credential. This is not necessarily malicious (instruction-only skills commonly omit declared env vars), but it means the skill expects the agent or user to supply Trendyol credentials at runtime via whatever secret mechanism the agent platform provides. Ensure you only provide valid Trendyol API credentials and do not paste them into public logs.
Persistence & Privilege
always:false and no install behavior means the skill does not request permanent/system-wide presence or modification of other skills. Autonomous invocation is enabled by default but is not combined with other red flags here.
Assessment
This skill appears to be a straightforward API reference for Trendyol and is internally consistent. Before installing: 1) Be prepared to provide your Trendyol API_KEY and API_SECRET (Basic Auth) via the agent's secure credential store — do not paste keys into public places. 2) Confirm the agent will only send those credentials to Trendyol endpoints (apigw.trendyol.com / stageapigw.trendyol.com). 3) Remember Basic Auth base64 is reversible, so protect the raw credentials and Authorization header. 4) Review any logs the agent may produce to ensure secrets are not being leaked. If you need higher assurance, request the skill author to declare required env vars in metadata or to provide an explicit example of how credentials are expected to be supplied securely.

Like a lobster shell, security has layers — review code before you run it.

latestvk979zf4eqmrfabcvd6wmd9ph1s817jx9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments