Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Analyse
v1.0.0对亚马逊竞品Listing进行全维度穿透分析,包括文案逻辑、评论分析、关键词分析、市场动态等。分析完成后自动保存为Markdown报告文档到reports/目录。Invoke when user uses /amazon-analyse command with a product ASIN.
⭐ 0· 291·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Amazon listing analysis) aligns with the SKILL.md and bundled docs: all runtime steps call the Sorftime MCP API and generate Markdown reports. However, the skill expects an API key (shown as YOUR_API_KEY in curl examples and .mcp.json config) but the registry metadata declares no required environment variables or primary credential — an inconsistency.
Instruction Scope
Instructions are focused on fetching product data from Sorftime MCP (product_detail, reviews, traffic terms, trends, etc.), analyzing it, and saving a Markdown report to reports/. They explicitly tell the agent to use curl/SSE, decode Unicode, and use platform Read/Write tools for temp files and report saving; there is no instruction to read unrelated system files or harvest other credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk at install time. That minimizes install-time risk.
Credentials
The skill clearly requires a Sorftime MCP API key (examples and README reference https://mcp.sorftime.com?key=YOUR_API_KEY and a .mcp.json file) but the skill metadata lists no required env vars or primary credential. Asking for/using an API key is expected for this purpose, but the omission from metadata is a security/usability gap: users may not realize a secret is required or how it will be supplied. Also the examples place the key in a URL query parameter (which can leak in logs) rather than recommending secure secret storage.
Persistence & Privilege
The skill does write output files (reports/) as part of normal operation, but always:false and no claims to modify other skills or system-wide configs. File writes are limited to project reports and are documented in SKILL.md/README.
What to consider before installing
This skill appears to do what it says (calls Sorftime MCP and writes Markdown reports), but before installing or running it confirm the following:
- The skill requires a Sorftime MCP API key (examples show YOUR_API_KEY and README/.mcp.json). The registry metadata did NOT declare that credential — ask the author to add a required credential field or documentation on how the platform will provide the key.
- Do NOT paste your API key into public chat or logs; prefer storing it in the agent/platform secret store or an environment variable accessible only to the skill. The examples put the key in the URL query string, which can leak in logs — request an authenticated header or secure config instead.
- Verify the Sorftime endpoint (https://mcp.sorftime.com) and the author/owner identity before providing any secrets. The skill's source/homepage is unknown; lack of provenance increases risk.
- Be aware the skill will create files under reports/ in the project. If you have sensitive workspace policies, confirm where reports are stored and who can access them.
- If you need higher assurance, ask the author to: (1) declare a primary credential in the skill metadata, (2) prefer header-based authentication over query parameters, and (3) include a short integrity/privacy statement describing what data is sent to Sorftime and retention behavior.
Given these issues (missing declared credential and insecure example usage), treat the skill as suspicious until the author clarifies credential handling and endpoint provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk9735mnc2jcpct2t480s7002xs82j328
License
MIT-0
Free to use, modify, and redistribute. No attribution required.