Novai360 跨境电商智能分析
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill looks proportionate for external market analysis and does not show malicious code in the provided files. Before installing, be aware that your queries and some session context are sent to Novai360’s API, so avoid entering confidential business information unless you trust the provider and its privacy practices. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your product questions, ASINs, keywords, and some session/user context may be sent to Novai360’s API.
The skill posts the user’s message, inferred intent, and the full provided context object to Novai360’s external /chat API. This is aligned with the analysis service, but the context spread is broader than the minimum fields shown.
body: JSON.stringify(payload) ... context: { userId: context.userId || 'anonymous', sessionId: context.sessionId || Date.now().toString(), platform: context.platform || 'openclaw', ...context }Do not include confidential business plans or secrets in queries unless you trust the provider; the developer should minimize forwarded context fields and document exactly what is sent.
The final report may reflect instructions or framing supplied by the remote API, not only neutral market data.
Text returned by the external API is inserted into the LLM prompt as an analysis framework. That is expected for report generation, but remote content can influence the final model output.
【分析框架】\n${apiResult.analysisFramework || '请根据数据提供专业的分析建议'}Treat generated recommendations as advice to review, not automatic instructions for business decisions or account actions.
Users may assume a stronger privacy guarantee than can be verified from the submitted artifacts.
The skill makes broad privacy and compliance assurances, while the provided artifacts do not include a privacy policy, homepage, or compliance details to verify those claims.
所有查询数据均经过加密处理 ... 严格保护用户隐私 ... 符合国际数据保护标准
Review the provider’s terms or privacy documentation before submitting sensitive commercial information.