Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ecommerce Analyzer
v1.0.0Provides data analysis and monitoring for sales, prices, reviews, keywords, and competitors across major Chinese ecommerce platforms.
⭐ 0· 220·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes scraping/analysis across multiple e-commerce platforms; _meta.json lists Python libraries (pandas, requests, selenium) that are consistent with that purpose. However the registry metadata claimed no required binaries or env vars and there is no install spec — Selenium typically requires a browser and driver (chromedriver/geckodriver) and possibly proxy/configuration; that system-level dependency is not declared. Absence of a source repo or homepage reduces provenance.
Instruction Scope
The runtime instructions in SKILL.md are narrowly scoped to analysis commands (商品分析, 竞品监控, 评论分析, etc.) and do not instruct the agent to read unrelated files or credentials. However they assert features like '实时监控' and '自动报告' without describing scheduling, notification endpoints, or how long-running monitoring should be performed — giving the agent broad discretion at runtime.
Install Mechanism
This is an instruction-only skill with no install spec. Yet _meta.json lists dependencies including selenium. There are no install steps, no mention of browser drivers, no trusted release URLs, and no guidance on environment setup. That mismatch is a red flag: the agent or integrator would need to supply system packages and drivers out-of-band, which is a potential setup and security gap.
Credentials
The skill requests no environment variables or credentials. For public scraping this may be sufficient, but many monitoring workflows rely on API keys, login accounts, proxy credentials, or anti-bot services — none are declared. The lack of declared secrets is not inherently malicious but is surprising given the stated capabilities and should be clarified.
Persistence & Privilege
always is false and user-invocable is true. The skill does not request persistent system-wide privileges or claim to modify other skills. No concerns here based on the available metadata.
What to consider before installing
This skill claims to perform cross-platform ecommerce scraping and analysis but is instruction-only and missing important implementation details. Before installing or using it: (1) ask the author for the source/repository and detailed install steps (including browser drivers for Selenium and any service endpoints); (2) do not supply credentials or secrets until you verify how they will be stored and used; (3) prefer running it in an isolated environment or sandbox and review any code prior to granting network access; (4) if you expect continuous monitoring, confirm how scheduling/notifications are implemented and where resulting data/reports are sent; (5) because the package is paid and has no provenance, demand more information about the developer and data-handling/privacy policies. The absence of regex scan findings does not imply safety — the skill has no code for the scanner to inspect, so manual review is necessary.Like a lobster shell, security has layers — review code before you run it.
latestvk972bbtdvrwh8ps088p1g3vw7s83s2qa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.