ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ecommerce Assistant

v1.0.1

E-commerce product research, competitor analysis, and price monitoring for Amazon, Shopify, and other platforms. Use when researching Amazon product data, an...

0· 76·0 current·0 all-time
by@lhldolike
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with provided scripts (Amazon search, Shopify analysis, price tracking). However SKILL.md and README reference additional scripts (amazon_product.py, product_reporter.py, product_reporter email option) that are not present in the file manifest — this mismatch suggests incomplete packaging or sloppy documentation.
!
Instruction Scope
Runtime instructions tell the user/agent to run included scripts that perform network requests (Shopify product JSON endpoints, arbitrary store domains) and read/write files under the user's home directory (~/.ecommerce-assistant). The instructions also reference external GitHub demo and APIs. The skill's scripts may prompt for user input and will contact remote endpoints; the SKILL.md asks the agent to save/export data and to use APIs but does not show where to safely supply credentials. The missing referenced scripts increase uncertainty about actual runtime behavior.
Install Mechanism
No install spec — instruction-only with bundled scripts. Nothing downloads or extracts arbitrary code at install time from unknown URLs. Risk is limited to running the included scripts.
Credentials
The skill does not request environment variables or credentials in metadata. Scripts accept optional API key arguments (e.g., --api-key) but do not require secrets. There is no evidence of unrelated credential access in code.
Persistence & Privilege
always:false (no forced permanence). Scripts create and write to a per-user data directory (~/.ecommerce-assistant) to store watchlist and price history — this is expected for a tracker but is persistent on the user's machine. The skill does network I/O and can be invoked autonomously by the agent (default), which increases blast radius if misused, but that alone is not flagged as abnormal.
What to consider before installing
Before installing or running this skill: - Note the documentation references files that are missing from the package (amazon_product.py, product_reporter.py). Treat that as a packaging/documentation issue and verify the upstream project (GitHub demo) before running. - The included scripts perform network requests (to Shopify stores, possible APIs) and will create/read/write files under ~/.ecommerce-assistant. If you run them, expect local persistence of watchlists and price history. - The skill does not require environment secrets, but some scripts accept API keys as arguments; do not provide sensitive keys unless you inspect the code and trust the upstream source. - Because the package is instruction-only (no installer) the primary risk is from running the scripts. Review the code (or run in an isolated VM/container) to ensure there are no unexpected network endpoints or data exfiltration. - If you need this functionality but want lower risk, only run the scripts with example/mock data, audit any network calls, and confirm the GitHub demo repo contents match the packaged files.

Like a lobster shell, security has layers — review code before you run it.

latestvk974dj4aqeb63hd2d095904v4983aacs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments