Ecommerce Product Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does not show malware-like code, but it appears to market simulated/random ecommerce data as professional product research and includes direct off-platform payment prompts.
Install only if you are comfortable treating this as a demo-style tool. Independently verify any product research before spending money, avoid off-platform payments or payment screenshots unless the publisher is verified, and do not provide API keys or sensitive business data until the data sources and review/memory behavior are clearly explained.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users could make inventory, supplier, or advertising decisions based on fabricated-looking market estimates.
The implementation generates random metrics for product analysis rather than using live marketplace, trend, or supplier data, while the skill is marketed as real ecommerce product research.
// Simulate product analysis ... price: Math.random() * 50 + 20, monthlySales: Math.floor(Math.random() * 5000) + 500
Treat outputs as demo estimates only unless the publisher clearly discloses data sources and replaces random simulation with verified integrations.
A user could pay an unverified party or share transaction details without normal platform protections.
The skill solicits direct Alipay payment and payment screenshots from users, with incomplete contact details, rather than a clearly verified marketplace billing flow.
## 💰 付费服务 — 支付宝直接支付 ... 扫码支付 [支付宝收款码] ... 支付后联系: [待添加] 微信/Telegram,发送支付截图 + 类目
Do not make off-platform payments or send payment screenshots unless you independently verify the publisher, service terms, refund policy, and official billing channel.
Supplying a real API key could grant the skill access to a third-party account if future code uses it.
The code can read an API key from options or the environment. This is plausible for an ecommerce data service, but credentials are sensitive and the registry does not declare a required credential.
this.apiKey = options.apiKey || process.env.ECOMMERCE_API_KEY;
Only provide a least-privilege key after confirming what service it is for and how it will be used.
Stale or poisoned local context could influence product recommendations without the user noticing.
The skill says it automatically uses prior knowledge and session snapshots, but the referenced files are not included and the scope/retention rules are not described.
- **知识注入**: 执行前自动搜索相关经验 (`tasks/KNOWLEDGE.md`) - **会话快照**: 快速恢复 (<1min, `tasks/SESSION-SNAPSHOT.md`)
Review or disable any persistent knowledge/session files before relying on recommendations.
Product research details, budgets, or business plans could be shared with an unspecified review process if implemented by the agent environment.
The skill references a cross-model review flow but does not define the reviewer identity, destination, or data boundary.
- **跨模型审查**: 关键决策前调用审查流程 (`/cross-review`)
Require explicit user approval before sending task context to another model, agent, or review workflow.