EcomSeer
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
EcomSeer mostly matches its TikTok Shop analytics purpose, but it includes a hardcoded bearer credential for its deep-research service and sends complex queries to an external hosted report service.
Review carefully before installing. The normal EcomSeer API-key requirement is expected, but the hardcoded bearer token should be removed or explained by the publisher. Until then, avoid confidential business queries, configure keys manually if possible, and verify EcomSeer's report privacy and access controls.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Deep-research requests may run under a shared or developer credential rather than a user-scoped credential, and an exposed token could be abused or cause usage to be misattributed.
The static scan reports a hardcoded bearer authorization header in the deep-research request; the visible SKILL.md excerpt also shows an Authorization bearer header for `https://deepresearch.ecomseer.com/research`.
-H "Authorization: Bearer [REDACTED]"
Remove the hardcoded bearer token, rotate it if real, and authenticate deep-research calls using a declared, user-scoped credential or a backend-controlled token exchange.
Your EcomSeer API key will be stored locally in OpenClaw config if you paste it to the assistant for setup.
The skill can persist a user-provided EcomSeer API key in OpenClaw configuration, which is expected for this integration but still a credential-handling step.
openclaw config set skills.entries.ecomseer.apiKey "{KEY}"Configure the API key only if you trust the skill and provider; consider setting it manually and rotate the key if it is accidentally exposed.
Business questions, query context, and generated analysis may be processed and hosted by EcomSeer outside your local agent session.
Complex queries are sent to a server-side AI research system and the output is hosted as a shareable report; this is disclosed and purpose-aligned, but it is an external data boundary.
Deep Research — AI-powered deep analysis... Automatically triggered... Reports are hosted and shareable via link.
Avoid submitting confidential strategy or private business data unless you understand EcomSeer's report access controls, retention, and sharing behavior.
Using the skill will make network requests to EcomSeer with your API key to fetch analytics data.
The skill relies on shell `curl` commands to call EcomSeer's APIs; this is central to the stated purpose and no destructive local commands are shown.
curl -s "https://www.ecomseer.com/api/open/{endpoint}?{params}" -H "X-API-Key: $ECOMSEER_API_KEY"Verify the target domains and use the skill only for queries you are comfortable sending to EcomSeer.