ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Affiliate Marketing Strategy

v1.0.0

Develop and optimize affiliate marketing programs for e-commerce, including setup, commissions, recruitment, tracking, and fraud control on major platforms.

0· 39·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md content are consistent: the skill is an advisory/instructional assistant for affiliate marketing across platforms (Shopify, Amazon, ShareASale, Impact, Refersion). No unrelated capabilities are requested.
Instruction Scope
SKILL.md is an instruction-only advisory guide and does not direct the agent to read local files, environment variables, or transmit data externally. However, the suggested usage (e.g., "Set up an affiliate program for my Shopify store") implies the agent may need platform credentials in practice; the skill does not declare or request those, which is acceptable for an advisory skill but should raise awareness that credentials may be requested at runtime by other code or by the agent.
!
Install Mechanism
Registry metadata shows no install spec and there are no code files, yet SKILL.md includes an 'Install' line instructing users to run 'npx skills add nexscope/affiliate-marketing-strategy'. That instruction would fetch and run code from the network via npx. Because the registry lists no install, no homepage is provided, and source is unknown, this is an unexplained provenance inconsistency and increases risk if a user actually runs the npx command.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportional for a purely advisory/instructional skill. Note: performing real platform integrations (Shopify, Amazon, ShareASale) would require credentials, but those are not requested here.
Persistence & Privilege
Persistence flags are default (not always), no install spec writes to disk in the registry, and the skill does not request system-wide privileges. Autonomous invocation is enabled by default (normal); nothing indicates the skill would modify other skills or global agent settings.
Scan Findings in Context
[no-code-to-scan] expected: The regex scanner found nothing because the skill is instruction-only with no code files. That absence of findings is expected but not evidence of safety.
What to consider before installing
This appears to be a legitimate advisory skill for affiliate marketing, but pay attention to provenance before running anything. The SKILL.md suggests installing via 'npx skills add nexscope/affiliate-marketing-strategy' even though the registry lists no install spec, no homepage, and the source is unknown. Running npx fetches code from the network and can execute arbitrary scripts—only run it if you trust the publisher. If you want to proceed safely: (1) search for the package and publisher (Nexscope) on npm and GitHub and verify the repository and maintainer identity; (2) inspect the package code before running npx; (3) be prepared to provide platform credentials (Shopify, Amazon, etc.) if you ask the agent to perform live setup — only supply credentials through secure, minimal-permission means and prefer temporary or scoped keys; (4) if you only need recommendations, use the skill as-is without running any install command. If you want a higher-confidence assessment, provide the package repository or publisher proof so the install instruction can be validated.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c3vmq8f001s88y7dwtr6bzh840vgt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments