Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sellersprite Api
v1.0.0SellerSprite Product Research — Fetch Amazon market data via SellerSprite API: product research, keyword analysis, competitor lookup, ASIN details, Blue Ocea...
⭐ 0· 55·0 current·0 all-time
byYang Jun@boyd4y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (SellerSprite product research) matches the commands and API endpoints described in SKILL.md and references. The required capability — calling SellerSprite endpoints with an API key — is coherent with the stated purpose. However, the registry metadata provided to you earlier lists no required binaries or env vars, while SKILL.md metadata explicitly lists the bun runtime and the @teamclaw/sellersprite-cli package; this metadata mismatch is unexpected.
Instruction Scope
All runtime instructions are limited to running the SellerSprite CLI (bunx @teamclaw/sellersprite-cli) against SellerSprite endpoints and managing a local config secret. The instructions only reference the SELLERSPRITE_SECRET_KEY (optional) and local config; they do not ask the agent to read unrelated system files, other credentials, or to transmit data to unexpected endpoints.
Install Mechanism
There is no install specification in the registry (instruction-only), but SKILL.md metadata lists a runtime dependency on bun and a package (@teamclaw/sellersprite-cli). That means running the skill will rely on bunx to fetch and run a third‑party CLI at runtime (dynamic package installation/execution) even though no explicit install/install sources are provided. Dynamic fetching/execution of a package from an unknown author increases risk unless the package origin and code are verified.
Credentials
The only credential referenced is SELLERSPRITE_SECRET_KEY (optional in SKILL.md) used to authenticate to the SellerSprite Open API. This is proportionate to the skill's purpose. No unrelated secrets or broad system credentials are requested.
Persistence & Privilege
The skill does not request always: true and does not appear to modify other skills or request system-wide privileges. It may write a local config (via the CLI's config command) to store the API key, which is expected behavior for a CLI that needs an API key.
What to consider before installing
This skill appears to do what it says (call SellerSprite APIs for Amazon research), but there are two things to check before trusting it:
1) Metadata mismatch: the registry summary shows no required binaries/env vars, yet SKILL.md requires the bun runtime and references the @teamclaw/sellersprite-cli package. Ask the publisher (or the skill registry) to clarify and provide an explicit install spec or a canonical package source.
2) Dynamic execution risk: the SKILL.md expects you to run bunx @teamclaw/sellersprite-cli, which will fetch/execute a third‑party CLI. Only proceed if you trust the @teamclaw/sellersprite-cli package and/or have inspected its repository/release artifacts. If you cannot verify the package, run commands in an isolated environment (VM/container) or request the skill author to include a vetted install spec (e.g., a pinned GitHub release or a vetted package SHA).
If you are comfortable providing an API key to this service, limit exposure by using a key with minimal permissions and rotating it if you later uninstall or stop using the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97d70qsycp6cxjhfx63vm95yx83m0ce
License
MIT-0
Free to use, modify, and redistribute. No attribution required.