Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Keyword Reverse Lookup
v1.0.0Amazon keyword reverse lookup engine. Find all keywords driving traffic to any ASIN, uncover hidden long-tail opportunities, build CPC ad keyword lists, and...
⭐ 0· 62·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description promise reverse-engineering traffic-driving keywords and CPC intelligence for any ASIN, which normally requires access to Amazon search/analytics or third-party keyword databases. The skill requests no API keys, data sources, or tooling to obtain actual traffic/search-volume/CPC data; instead it contains manual heuristics (extract words from listings, generate permutations, estimate intent). That mismatch means the skill cannot legitimately deliver the claimed capabilities as-is.
Instruction Scope
SKILL.md is an instruction-only guide and contains CLI-like command names (reverse, keyword gap, cpc suggest, etc.) but no implementation. The instructions are largely methodological (how to extract and score keywords) and do not instruct reading sensitive files or env vars. However they are vague about how to obtain search volumes, ranking estimates, or CPC data — this will push an agent to attempt web scraping, call unspecified external APIs, or use unspecified third-party services unless clarified. The ambiguity grants broad agent discretion ('estimate', 'score by estimated commercial intent').
Install Mechanism
No install spec and no code files are present; the skill is instruction-only. That is low install risk because nothing is written to disk or fetched automatically.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. This is proportionate to the instruction-only, heuristic nature of the skill. (If the skill later instructs using third-party APIs, additional credentials would be expected and should then be evaluated.)
Persistence & Privilege
always:false and default invocation settings — no forced persistent presence. The SKILL.md lists 'allowed-tools: Bash', meaning the agent may execute shell commands while using the skill; that is expected for instruction-only skills that run commands, but it does expand what the agent might do (e.g., run curl for scraping). This is normal but worth noting given the vague data-source guidance.
What to consider before installing
This skill reads like a methodology/playbook rather than a working tool: it tells an agent how to generate and score keywords from listing text but does not provide any data sources, APIs, or implementation to actually measure search volume or traffic. Before installing or using it: 1) Ask the author what data sources, APIs, or binaries the skill expects for search-volume, CPC, and ranking estimates. 2) Do not supply Amazon or third-party API keys until you confirm where and how they'll be used. 3) Expect that, as-written, an agent using this skill may attempt to scrape Amazon or call unspecified external services to fill in missing data — if you want to avoid that, restrict network access or require explicit approval for any web requests. 4) If you need real traffic/CPC data, prefer skills that explicitly integrate with reputable services (and list required env vars/credentials) or provide code that you can inspect. Additional info that would change this assessment: concrete data-source references, sample implementations or scripts, or declared API credentials and their justified need.Like a lobster shell, security has layers — review code before you run it.
latestvk97bsw2hjad4e20vm4cd0dr9r983f38p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.