Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Walter Competitor
v1.0.0亚马逊竞品流量攻防智能分析。自动发现竞品、分析流量结构、识别弱点、生成攻击矩阵。无需手动提供ASIN,全自动竞品情报获取。
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to auto-discover Amazon competitors and produce attack/ROI plans — the bundled Python code uses a SellerSprite MCP client (mcporter) to call many third‑party APIs, which is coherent with the stated purpose. However the registry metadata declares no required binaries or credentials while the code explicitly expects the mcporter CLI configured with a secret-key (example URL in comments). The missing declaration of that dependency/credential is an inconsistency.
Instruction Scope
SKILL.md + bundled scripts instruct use of the unified data layer and many remote API calls to collect competitor intelligence. The code will send user inputs (keyword, ASINs) and many internal API calls to external SellerSprite endpoints. The runtime uses subprocess.run(..., shell=True) to call mcporter, and argument construction does not reliably escape or validate strings — creating a risk that crafted inputs could lead to shell injection. The instructions do not document required credentials or how sensitive data is handled.
Install Mechanism
There is no install spec in the registry metadata, but sellersprite_mcp.py explicitly documents installing an npm global tool (mcporter) and configuring it with a secret-key URL (https://mcp.sellersprite.com/...). Relying on a globally installed CLI that must be configured with a secret is a high-friction/un-declared install requirement and increases risk because the skill invokes that CLI via shell commands.
Credentials
The skill declares no required environment variables or primary credential, yet operation requires a SellerSprite secret (shown in header comments and mcporter config example) and network access to third‑party endpoints. The absence of declared required credentials is disproportionate and hides that sensitive API keys / secrets (entered into mcporter config or URL) are necessary and will be used by the skill.
Persistence & Privilege
The skill is not always:true and does not request persistent system-wide privileges in metadata. It caches API responses in-memory only. Autonomous invocation is allowed (default) but that is normal for skills; no evidence the skill alters other skills or global agent configuration.
What to consider before installing
This skill bundles working code that expects you to install and configure a third‑party CLI (mcporter) with a SellerSprite secret, but the package metadata doesn't declare those requirements — that's a red flag. The code runs mcporter via subprocess.run(..., shell=True) and builds shell commands from input values without robust escaping: untrusted or specially crafted keywords could lead to command injection. Before installing or running it:
- Confirm you trust the skill author and SellerSprite service. The owner is unknown and there is no homepage.
- Do not supply production credentials or secrets until you understand where they'll be stored. The skill expects a secret-key in mcporter config (or URL) but does not declare an environment variable or secure storage mechanism.
- Consider running the code in an isolated environment (VM/container) and review/modify the sellersprite_mcp.run_mcporter call to avoid shell=True or to properly escape/encode arguments.
- Ask the author to: (1) declare required binaries and credentials in metadata, (2) remove shell usage or add safe escaping, and (3) document what data is sent to external endpoints and retention policies.
Given these mismatches and the subprocess usage, treat this skill as suspicious until the above issues are resolved or you can audit and sandbox its execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97dqvg39qd2mbj4efxnwtkhth84q3ek
License
MIT-0
Free to use, modify, and redistribute. No attribution required.