Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
amazon-research-reviews-skill
v1.0.0AI驱动的电商评论深度分析工具,支持22维度智能标签、用户画像识别、VOC洞察和可视化看板生成。 当用户需要以下功能时触发: - 分析电商产品评论(Amazon/eBay/AliExpress等平台) - 从评论中提取用户画像、痛点和VOC(客户之声) - 生成产品洞察报告和机会点分析 - 创建专业的可视化分析看...
⭐ 0· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (review analysis, VOC, personas, dashboards) align with the included scripts: CSV reading, batch creation, prompt generation, tag/stats merging and HTML report generation. No unrelated credentials, binaries, or network endpoints are requested by the skill. The scripts produce prompts for an LLM and expect LLM responses to be saved back as JSON—this matches the declared AI-driven workflow.
Instruction Scope
SKILL.md instructs the agent to read CSV files, create batched AI prompts, and save prompt/result files; the included scripts create and write prompt files containing raw review text and sample rows. This is consistent with the purpose, but it explicitly involves sending potentially sensitive customer review contents to an LLM (the skill relies on the agent/LLM to process prompts). Users should be aware that review text (which may include PII) will be included in prompts sent to the model.
Install Mechanism
There is no declared install spec (instruction-only), which minimizes upfront install risk. However the Python code will attempt to pip-install openpyxl at runtime if an Excel file is detected (os.system('pip install openpyxl -q')). That modifies the runtime environment and can pull packages from PyPI. Shell scripts expect common tools (python3, jq, iconv) to be present. No remote download URLs or archive extraction were observed.
Credentials
The skill declares no environment variables, credentials, or config paths. The scripts read and write files under the skill/project output directories and do not request unrelated secrets. This is proportionate to a CSV-based analysis tool.
Persistence & Privilege
always:false and typical agent invocation are used. The skill writes output files into output/{product}_{date} and creates prompt/result files—this is expected. It does not request permanent system-level privileges or modify other skills' configurations.
Assessment
This skill appears to do what it claims: parse CSV reviews, create batched prompts, and produce labeled CSV/Markdown/HTML reports. Before installing or running it: 1) Understand that review text (including any PII in reviews) will be embedded in prompts and sent to an LLM — do not upload sensitive customer data unless you accept that exposure. 2) The code may pip-install openpyxl at runtime and expects python3, jq, iconv and common Unix tools; run it in an environment where installing packages is acceptable (or pre-install dependencies). 3) The skill writes files into the skill/project output folders—review where those files are stored and their permissions. 4) If you need stricter data governance, sanitize PII from reviews before analysis or run the skill in an isolated environment. If you want, I can list all files and the exact lines that create prompts or perform runtime installs so you can inspect them further.Like a lobster shell, security has layers — review code before you run it.
latestvk9745henqqgygc4j48kkackb8983hw8n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.