Skillv0.1.0

ClawScan security

Mobazha Product Import · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 12:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match an import/migration tool, but it omits declaring required credentials and explicitly advises scraping techniques (IP rotation/residential proxies/headless browsers) that could be used to evade protections — this mismatch and the scraping guidance warrant caution.
Guidance: This skill appears to do what it says (migrate product listings), but take these precautions before using or installing it: - Do not feed real API tokens or store bearer tokens into a skill unless you trust the source; the SKILL.md uses Authorization tokens and Shopify access tokens but the package doesn't declare them. - The included Amazon scraping guide explicitly recommends IP rotation/residential proxies and headless browsers to evade blocks — that can violate site terms of service and may be legally or ethically risky. Only use scraping instructions on sites you own or have explicit permission to scrape. - If you plan to import, verify the existence and behavior of the referenced MCP tool (listings_import_json) and confirm how authentication should be supplied; ask the skill author to declare required env vars/credentials in the metadata. - For safety, perform imports on a test store first, and avoid rehosting content you don't have rights to (images, text). - If you need higher assurance, request from the publisher: (1) explicit list of required credentials, (2) clarification about MCP/tool availability, and (3) removal or moderation of instructions that encourage evading anti-scraping defenses.

Review Dimensions

Purpose & Capability: noteThe name/description (product import into Mobazha) matches the included instructions and mapping docs. However the SKILL.md references an MCP 'listings_import_json' tool and examples that require an Authorization token or Shopify API token but the skill declares no required credentials or env vars. That omission is a mismatch (the skill expects API tokens but doesn't declare them).
Instruction Scope: concernInstructions include step-by-step guidance for scraping Amazon (full scraping code, DOM selectors), and explicitly recommends IP rotation / residential proxies and headless browsers to avoid blocks. While scraping can be legitimate for migrating a user's own listings, recommending evasion techniques broadens the scope into potentially abusive behavior and increases legal/ethical risk. The instructions also instruct downloading and rehosting images — normal for import but notable for data movement.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files executed by the platform, so there is low risk of arbitrary code being written to disk by the skill itself.
Credentials: concernThe skill declares no required environment variables, yet the docs and examples expect secrets/tokens (store Authorization bearer token for the Mobazha API, Shopify X-Shopify-Access-Token, potentially Amazon PA-API credentials). Not declaring these required credentials is an incoherence and could cause users to unknowingly supply sensitive tokens without clear indication of where/why they're needed.
Persistence & Privilege: okThe skill is not always-enabled, does not request persistent system-level privileges, and being instruction-only it does not modify other skills or system settings.