Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ecommerce Product Pro
v1.0.1AI-powered ecommerce product research tool for Amazon FBA, Shopify, and dropshipping. Find winning products, analyze competition, estimate profits, and track...
⭐ 0· 78·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise real ecommerce integrations (Amazon, Google Trends, Alibaba supplier recommendations, social signals). The actual code implements only local, simulated/randomized data and small built-in databases — there are no network calls or API integrations. Examples show passing an apiKey, but the package declares no required env vars. This is a capability/expectation mismatch (useful for prototyping, but not what the description implies).
Instruction Scope
SKILL.md and README describe integrations and example flows that imply fetching real market data and supplier info. The runtime instructions and examples ask for an apiKey parameter. The SKILL.md gives no operational steps that would cause data exfiltration, but it is misleading: the instructions expect external data while the index.js methods generate simulated data locally. The instructions also reference contacting the author for paid services (WeChat/Telegram) — not a security hazard per se, but a trust/reputation consideration.
Install Mechanism
No install spec and package.json has no external dependencies; there is no download-from-URL or extract step. This is low-install-risk — nothing arbitrary will be written at install time beyond normal package files.
Credentials
index.js reads process.env.ECOMMERCE_API_KEY as a fallback for the constructor's apiKey option, and SKILL.md examples include an apiKey parameter, but the skill's registry metadata lists no required environment variables or primary credential. The code does not require a key to run (it falls back to simulated data), so the presence of apiKey in examples is inconsistent and could mislead users into providing credentials unnecessarily.
Persistence & Privilege
The skill does not request always:true and has no OS restriction or config path requirements. It does not modify other skills or system settings. Autonomous invocation is allowed (platform default) but is not combined with other red flags.
What to consider before installing
This package appears to be a local simulator/prototype rather than a full integration: it generates random/simulated product metrics and supplier entries instead of calling Amazon, Google Trends, Alibaba, or social APIs. Before installing or using it for real research, consider: 1) Do you expect real-time market data? If so, this skill does not deliver that — ask the author or review/modify the code to add authorized API calls. 2) The examples show passing an apiKey and the code reads ECOMMERCE_API_KEY, but no credentials are declared in the registry metadata; do not supply sensitive keys unless you understand where they are sent (the current code does not send them anywhere). 3) The README/SKILL.md advertises paid consulting (WeChat/Telegram) — be cautious about off-platform payments and vet the author. 4) If you want honest behavior, request the maintainer to: declare required env vars, document any network endpoints, implement (or clearly label) integrated data sources, and remove misleading claims. Based on the mismatch between promises and implementation, treat this as a prototype/demo rather than a production-grade tool.Like a lobster shell, security has layers — review code before you run it.
latestvk97f1tqt4fyk1xk62hwrz1wmk983hg9b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛍️ Clawdis