ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Niche Finder

v1.0.0

Discover profitable Amazon niches with low competition and high demand. Evaluates niche viability using demand indicators, competition metrics, profit margin...

0· 83·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and declared capabilities (niche scoring, competition assessment, etc.) are consistent with an Amazon/commerce research tool. However, the SKILL.md lists many supported platforms (Shopify, WooCommerce, TikTok Shop, Etsy, etc.) but does not declare any credentials or explain how it will access platform-specific data, which is a notable omission.
!
Instruction Scope
The runtime instructions are high-level and allow the agent broad discretion to "research and analyze" without specifying permitted data sources or APIs. That open-ended phrasing can lead to the agent scraping or contacting arbitrary websites or requesting credentials. The follow-up question step is well-scoped, but the overall research step is vague and could cause unexpected data access.
!
Install Mechanism
Although the registry lists no install spec (instruction-only), the SKILL.md includes a user Install command using npx to add nexscope-ai/eCommerce-Skills globally. That command would pull and execute code from the npm ecosystem (or a GitHub/npm package) outside the registry's control — a potential source of arbitrary code execution if the package is untrusted. The registry should either provide a vetted install or explicitly document the source and trustworthiness of that package.
Credentials
The skill declares no required environment variables or credentials, which is consistent with an instruction-only tool that uses only public data. At the same time, because it advertises integration with many commerce platforms (which commonly require API keys), the absence of any declared credential requirements is ambiguous: deeper integrations would typically need platform-specific keys, but none are requested or described.
Persistence & Privilege
The skill does not request always-on presence and uses default autonomous-invocation settings (normal for skills). There is no evidence it modifies other skills or writes persistent system-wide configuration.
What to consider before installing
Before installing or running this skill: (1) Do not run the provided npx command unless you trust the nexscope-ai package — npx will fetch and execute remote code. Verify the package source (GitHub/npm repo, maintainer, recent activity, and code) before running. (2) Ask the skill author how it obtains data for each supported platform and whether any API keys will be requested; require explicit declarations for any credentials. (3) If you must try it, run the installation in a sandbox or isolated environment and avoid supplying platform credentials until you confirm the package's safety. (4) Prefer skills whose registry entry includes an install spec and provenance (official repo/maintainer) or that operate purely on user-provided data.

Like a lobster shell, security has layers — review code before you run it.

latestvk976w67psbq0x3z8kpa4y04qjs83knt5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments