ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Product Research

v1.0.0

Identifies winning e-commerce products by analyzing social trends, regional demand, marketplace data, and prepares WooCommerce or Shopify store drafts accord...

0· 762·5 current·5 all-time
byHagen Hoferichter@h4gen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (e‑commerce product research + store draft creation) matches the requested binaries (node, npx for CLI orchestration) and the three API keys (trend provider, Google Places, api-gateway). The listed upstream skills (tavily-search, goplaces, api-gateway, shopify/woocommerce) align with the stated workflow.
Instruction Scope
SKILL.md limits actions to trend scanning, regional checks, marketplace gating, sourcing checks, and optional draft creation via api-gateway. It only reads the declared env vars (it even instructs explicit preflight checks) and describes blocked/fallback behavior when connections are missing. There are no instructions to read arbitrary system files or unrelated credentials.
Install Mechanism
The skill is instruction-only (no packaged install), but the runtime instructions call npx to install other ClawHub skills (network download + execution). This is expected for a Node/CLI-based orchestration skill, but it means code will be fetched at install time — review the referenced upstream skills before running those npx install commands.
Credentials
The three required env vars (TAVILY_API_KEY, GOOGLE_PLACES_API_KEY, MATON_API_KEY) directly map to the services the skill says it will use. The SKILL.md also documents that an API key alone may not be sufficient for api-gateway (OAuth app connections required), which limits unilateral power of a single key.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. There is no indication it will change other skills' configs or request permanent system-level privileges.
Assessment
This skill appears to do what it claims, but it orchestrates other tools and will download upstream skills via npx. Before installing or running it: (1) verify and trust the referenced upstream skills (tavily-search, goplaces, api-gateway, shopify) — inspect their code and permissions; (2) provide API keys scoped to the minimum necessary permissions (avoid giving full-account keys where scoped keys are available); (3) be aware api-gateway requires additional OAuth connections for store operations — giving MATON_API_KEY alone is not sufficient but still provides access to that gateway; (4) prefer running this in an isolated environment or sandbox if you want to limit blast radius; and (5) note shopify is marked under maintenance in the skill, so prefer WooCommerce or manual deployment until upstream support is confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aqs6q07rcw8cw32jfc40jcd814rsg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕵️ Clawdis
Binsnode, npx, goplaces
EnvTAVILY_API_KEY, GOOGLE_PLACES_API_KEY, MATON_API_KEY

Comments