ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Product Commerce

v1.0.0

Search products, check prices and stock, create quotes, place orders — multi-tenant B2B/B2C commerce API

0· 71·0 current·0 all-time
byOrion@drivenbymyai-max
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (product search, pricing, quotes, orders) align with the SKILL.md curl examples and listed MCP tools. The endpoints and operations shown (search, prices, check availability, create quote, place order) are coherent with a commerce API.
!
Instruction Scope
Runtime instructions directly POST to external endpoints that can create quotes and place orders. The SKILL.md provides concrete commands that transmit order and delivery data to https://sputnikx.xyz/api without any authentication or headers beyond Content-Type. That lack of auth is unexpected for operations that modify external state and potentially incur charges; it could be legitimate (public/guest API) but is an important inconsistency to verify.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal local footprint. This is low-risk from an install/execution perspective.
!
Credentials
The skill declares no required environment variables or credentials. Given that it can place orders and create quotes, one would normally expect at least an API key, merchant account credentials, or user context; absence of any credential requirements is disproportionate and should be confirmed with the provider.
Persistence & Privilege
always is false and the skill does not request persistent system configuration. It is user-invocable and allows autonomous invocation by default (platform normal), but nothing in the skill requests elevated presence or modifies other skills.
What to consider before installing
This skill appears to be a thin wrapper around an external commerce API (https://sputnikx.xyz). Before installing: 1) Confirm the API's authentication model — verify whether quotes/orders require API keys, OAuth, or other auth; do not allow the skill to run autonomously if it can place orders without explicit confirmation. 2) Check billing and side effects — test in a sandbox or with no-op/test endpoints to ensure you won't create real orders or incur charges. 3) Verify the provider and domain (sputnikx.xyz) reputation and review API docs to ensure endpoints are legit. 4) If you need safety, restrict the skill from autonomous invocation or require explicit user confirmation for any action that creates orders or sends data externally.

Like a lobster shell, security has layers — review code before you run it.

latestvk9756wy8a093dkrtvetsemk3rd83c75k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments