Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Competitor Analysis
v1.0.0Full-spectrum Amazon competitor analysis. Compare listings, pricing, reviews, advertising strategy, and market positioning against direct competitors. Identi...
⭐ 1· 258·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and declared capabilities (listing comparison, review sentiment, pricing, ads visibility, etc.) are coherent with an Amazon competitor-analysis skill. However, the SKILL.md lists many platforms (Shopify, WooCommerce, Walmart, TikTok Shop, etc.) but the package declares no credentials or APIs for those platforms — deeper analyses on some platforms normally require API keys or authenticated access, which the skill does not request or document.
Instruction Scope
The runtime instructions are high-level and stay within the claimed purpose (collect user input, ask one multi-choice follow-up, research, then produce structured output). They don't instruct reading local files or environment variables. However, the 'Research and analyze' step is vague about what sources or methods are allowed (public web scraping, third‑party APIs, private account access), so it grants broad discretion to the agent without explicit limits.
Install Mechanism
Although the registry lists no install spec, SKILL.md suggests installing via an npx command: 'npx skills add nexscope-ai/eCommerce-Skills --skill amazon-competitor-analysis -g'. That instruction would fetch and execute remote code (npm/GitHub) outside the registry's declared install metadata. Because the registry provides no vetted install artifact, this is a mismatch and increases risk: running npx can execute arbitrary code from the referenced package/repo.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for analysis based only on public data. But several supported capabilities (advertising visibility, inventory/FBA details, in-depth seller analytics) often require authenticated APIs (Amazon Seller/Advertising API, Shopify API, etc.). The absence of any credential requirements is plausible but may indicate the skill intends to rely solely on public scraping — this should be made explicit.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not declare system-level changes. It is user-invocable and allows model invocation (default), which is normal for skills.
What to consider before installing
Before installing or running this skill: 1) Be cautious about the SKILL.md install instruction that uses 'npx' to fetch remote code — that can execute arbitrary packages. Prefer to see a registry-provided install spec or examine the package repo code and release integrity (signed release, commit hash) before running it. 2) Ask the author or vendor for a homepage/source repository and a clear list of required credentials/APIs; if the skill needs Amazon Seller/Advertising or Shopify API access, those should be declared and justified. 3) Clarify what 'research' entails: will it scrape public product pages (check legal/ToS implications) or attempt to access private accounts? 4) If you decide to run the npx install anyway, do so in an isolated environment (container or VM) and review the package contents first. 5) Consider whether you want an agent that can autonomously call external sites on your behalf — if not, restrict invocation or require manual approval for web queries. If you want higher confidence, request the skill's source repository, an install manifest, and a short security/permissions justification from the publisher.Like a lobster shell, security has layers — review code before you run it.
latestvk97edqrq7jb6zeyazftrqsjcv583h66m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.