Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Backend Keywords
v1.0.0Optimize Amazon backend search terms for maximum discoverability. Generate the optimal 250-byte backend keyword set by deduplicating, prioritizing, and forma...
⭐ 0· 65·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description align with the declared capabilities (deduplication, prioritization, formatting to 250 bytes). However, some advertised capabilities — specifically 'keyword prioritization by relevance and search volume signals' and 'research and analyze' — imply external data or analytics access that the skill does not declare (no APIs, credentials, or concrete data sources). This is a capability/requirement mismatch worth clarifying.
Instruction Scope
SKILL.md instructs the agent to collect product info from the user, ask a single multiple-choice follow-up, and produce structured output. It does not instruct the agent to read unrelated files, environment variables, or to exfiltrate data. The only concern is the vague 'research and analyze using the frameworks and methodology below' phrasing — there is no concrete methodology or explicit external-data steps, which grants the agent broad discretion.
Install Mechanism
Registry metadata shows 'No install spec' and no code files, but SKILL.md contains an 'Install' command recommending: 'npx skills add nexscope-ai/eCommerce-Skills --skill amazon-backend-keywords -g'. That instruction would fetch and run code from npm/GitHub when executed. The mismatch between the registry (no install) and the in-doc install instruction is inconsistent and increases risk because running the npx command downloads and executes third-party code not reviewed here.
Credentials
The skill declares no required environment variables, credentials, or config paths, which is appropriate for a text-based keyword helper. But the skill's claim of using 'search volume signals' suggests it might need external analytics APIs (e.g., Helium10, SEMrush, Google Trends) — none are declared. That raises a question: either the skill will use heuristics without external data (benign) or it will silently require external keys if you install the referenced package (not declared).
Persistence & Privilege
No special privileges requested. Flags are default (not always-on), user-invocable, and allow autonomous invocation (platform default). The skill does not declare persistent system changes or modifications to other skills' configurations.
What to consider before installing
This skill appears to do what it says (generate deduplicated, 250-byte backend keywords) but has two things to verify before you proceed: (1) The SKILL.md tells you to run an npx install command that would fetch third-party code, yet the registry metadata lists no install spec — review the npm/GitHub package (nexscope-ai/eCommerce-Skills) and its source code and license before running npx. (2) Ask the author how 'search volume signals' are obtained — does the skill call external paid APIs that will require you to supply credentials, or does it estimate volumes heuristically? Also avoid pasting any secrets or private data into prompts; only paste the product title/bullets and keyword candidates. If you want lower risk, use the skill only as an instruction-only flow (paste your listing and keywords) and decline to run the npx install until you've inspected the package source.Like a lobster shell, security has layers — review code before you run it.
latestvk978e0xap93kqn97asmqezfnv183gn41
License
MIT-0
Free to use, modify, and redistribute. No attribution required.