Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Deal Finder
v1.0.0Plan and optimize Amazon promotional deals — Lightning Deals, Best Deals, Coupons, and Prime Exclusive Discounts. Evaluate deal ROI, timing, and strategy for...
⭐ 0· 65·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (plan/optimize Amazon promotions) aligns with the capabilities described (ROI calc, timing, inventory prep). However it lists many other platforms (Shopify, WooCommerce, Walmart, TikTok Shop, Etsy, eBay, BigCommerce) that would typically require platform-specific integrations/credentials; the skill declares no credentials, which is plausible if it only provides advisory calculations from user-supplied data but is worth calling out.
Instruction Scope
SKILL.md includes a concrete 'Install' instruction to run 'npx skills add nexscope-ai/eCommerce-Skills --skill amazon-deal-finder -g'. The skill package itself contains no code and declares no install spec, so the runtime instructions direct the user to fetch and run external code outside of the registry — a behavior not reflected elsewhere in the metadata. The doc also says 'Research and analyze' without specifying data sources or limits, so it's unclear whether the agent will attempt external web access or request credentials.
Install Mechanism
Although the registry lists no install spec, the SKILL.md recommends using npx to install a third-party npm package globally. npx will fetch and execute code from the npm registry (supply-chain risk). The skill bundle itself contains no code for review, so following that instruction would pull arbitrary code not covered by this registry listing.
Credentials
The skill declares no required environment variables or credentials. Given support for multiple storefronts and Amazon-specific operations, one would normally expect optional or required API keys for richer integrations. The absence of declared credentials is coherent if the skill only uses user-provided figures in chat, but it's unusual given the platforms listed and should be confirmed.
Persistence & Privilege
The skill does not request permanent presence (always:false) and uses default autonomy settings. It does not ask to modify other skills or system-wide configs in the provided instructions.
What to consider before installing
This skill appears to be an advisory tool for planning Amazon deals and can be useful, but there are a few red flags you should check before installing or running anything: 1) SKILL.md tells you to run an 'npx' command that will download and run code from npm — confirm the 'nexscope-ai/eCommerce-Skills' package is trustworthy and review its source code before executing it. 2) The registry package itself contains no code or install spec, so the recommended installer is external to this listing — that's a supply-chain inconsistency. 3) The skill lists many storefront platforms but declares no credentials; ask the developer whether the skill will ever request API keys or access accounts, and whether it only works from user-supplied metrics. 4) If you do run the npx installer, prefer running it in a controlled environment (sandbox or container) and inspect the package contents first. If you need help, ask the publisher for a link to the exact npm package and to the GitHub repo so you can review the source before installation.Like a lobster shell, security has layers — review code before you run it.
latestvk971r47372hym14y9xj9hc95vn83hs4r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.