Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Competitor Analyzer
v1.4.0Scrapes Amazon product data from ASINs using SkillBoss API Hub web scraping and performs surgical competitive analysis. Compares specifications, pricing, rev...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the code: the skill scrapes Amazon pages via SkillBoss API Hub and performs analysis. Requesting a SkillBoss API key is coherent with that purpose. However, registry metadata lists no required environment variables while both SKILL.md and the code require SKILLBOSS_API_KEY — this metadata mismatch is unexpected.
Instruction Scope
SKILL.md instructs only to provide ASINs and a SkillBoss API key and to run the included Python script. The runtime instructions and the script focus on scraping Amazon pages and calling SkillBoss endpoints. The script does send scraped page content to the SkillBoss LLM extraction endpoint (expected for structured extraction). There is no instruction to access unrelated system files or external endpoints beyond api.skillboss.co.
Install Mechanism
No install spec is provided (instruction-only skill with a Python file). Dependencies are minimal (requests, optional python-dotenv). No external archives or unusual downloads are fetched by an installer.
Credentials
The skill requires SKILLBOSS_API_KEY (declared in SKILL.md and used in code), which is proportionate to the purpose. But the registry metadata claims no required env vars — this inconsistency can hide that an API key is needed. The code also attempts to load a .env file from the script directory and will set any key=value pairs found there into the environment, which could cause accidental use/exposure of other secrets if a .env exists in that directory.
Persistence & Privilege
The skill does not request elevated privileges, does not set always: true, and does not modify other skills or system-wide settings. It runs as a standalone script and only communicates with api.skillboss.co.
What to consider before installing
Things to check before installing or running this skill:
- Expectation mismatch: The registry metadata omits the required SKILLBOSS_API_KEY but both the SKILL.md and the script require it. Treat the skill as requiring that credential unless the publisher corrects the metadata.
- Limit secrets: Only provide a SkillBoss API key. Do not place other sensitive credentials in a .env file in the skill directory — the script will load any key=value pairs it finds there into the environment.
- Code review: The included Python file calls https://api.skillboss.co and sends scraped Amazon page content to SkillBoss (scraper + LLM extraction). If you rely on SkillBoss, confirm their privacy/retention policy and that sending full page text is acceptable for your data.
- Legal/TOS: Scraping Amazon may violate Amazon's terms of service — confirm this is acceptable for your use case and jurisdiction.
- Run in isolation: When testing, run the script in an isolated environment (ephemeral container or VM) with only the SkillBoss key configured to limit accidental exposure of other secrets or files.
- If you need higher assurance: ask the publisher to (a) fix registry metadata to declare SKILLBOSS_API_KEY, (b) remove automatic loading of arbitrary .env files or limit it to only the expected key, and (c) provide a reproducible, signed release or provenance for the code. If the publisher cannot explain the metadata mismatch, treat the package with extra caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97aamf7asz6c351wy15pftd1x84xafe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
SKILLBOSS_API_KEYrequired