ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Product Research

v1.0.0

Conducts Amazon product research by analyzing market size, competition, profit margins, competitors, and risks to provide GO/NO-GO recommendations.

0· 35·0 current·0 all-time
by@beyondbright
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to perform Amazon product research and the code implements that using a data layer and SellerSprite API. However the package metadata declares no required environment variables or credentials even though the SKILL.md and code depend on an external data layer (unified_data_layer_v2) and SellerSprite API access. Not declaring the needed API credentials is an inconsistency.
!
Instruction Scope
SKILL.md describes a bounded analysis workflow and the code follows it. However the runtime code injects a sys.path entry that points three directories up into a 'scripts' folder to import unified_data_layer_v2, which means the skill will try to import code from outside its own bundle at runtime — this increases the attack surface and can cause the agent to execute unexpected code. The instructions do not disclose where the data layer will send network requests or which credentials it expects.
Install Mechanism
There is no install spec (instruction-only with included code files). Nothing is downloaded at install time. Risk comes from runtime imports and the external data-layer dependency rather than an installer.
!
Credentials
No environment variables or primary credential are declared, yet the SKILL.md lists 'SellerSprite API access' as a dependency and the code calls external APIs via a data layer. This mismatch means the skill will likely require API keys/credentials that are not declared or explained, which is disproportionate and opaque.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false) and does not modify agent/system configuration in the provided code. The main privilege-related risk is autonomous runtime network access via the external data layer, not persistent installation.
What to consider before installing
This skill implements an Amazon product-research workflow but relies on an external 'unified_data_layer_v2' and SellerSprite API. Before installing or running it: (1) ask the author to declare required environment variables (API keys/tokens) and document endpoints; (2) request and review the unified_data_layer_v2 and sellersprite_mcp source to confirm where requests go and how credentials are used; (3) note the code alters sys.path to import modules from parent directories — run it in a sandbox or isolated environment to avoid importing unexpected code; (4) do not provide production API credentials until you verify the data-layer code and the remote endpoints; and (5) if you can't review the missing modules, prefer a safer alternative or ask the publisher to bundle audited connectors and declare required env vars in the skill manifest.

Like a lobster shell, security has layers — review code before you run it.

latestvk976tx4405jahc82r76mnqk6k584rqpb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments