ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Product Bundling

v1.0.0

Product bundling strategy — virtual bundles, multi-pack pricing, cross-sell bundles, bundle listing optimization

0· 89·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and declared capabilities (Amazon product bundling, marketplaces listed) are coherent and proportionate. The skill does not request unrelated credentials or system access in its manifest.
Instruction Scope
SKILL.md is an instruction-only runtime guide that asks the agent to collect user-provided product/context info, ask a single multi-choice follow-up, and then 'research and analyze'. The term 'research' is vague and gives broad discretion (web lookups, use of browsing tools, or other data sources) but does not explicitly instruct the agent to read local files or request credentials. The guidance to 'use frameworks and methodology below' is misleading because no frameworks are actually included.
!
Install Mechanism
SKILL.md contains an 'Install' command (npx skills add nexscope/amazon-product-bundling) that would pull code at runtime, but the registry shows no install spec and no code files. This mismatch is a red flag: running that npx command would execute code from an external source (npm/GitHub), which is higher risk unless the source is verified. The skill package as published here is instruction-only, so the install line is inconsistent with the actual metadata.
Credentials
The published metadata requests no environment variables, credentials, or config paths. That is proportionate for a consulting/strategy skill which should not need access to private accounts. There is no declared need for Seller Central or AWS credentials.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges in its metadata.
What to consider before installing
This skill appears to be a content/instruction-only assistant for Amazon bundling and is internally coherent in purpose, but there are a few things to check before using or running any install steps: - Do not run the 'npx skills add nexscope/amazon-product-bundling' command until you verify the publisher and source. The skill metadata here contains no install or code, so the SKILL.md's npx line is inconsistent and could pull and run arbitrary code from the network. - Ask the publisher for a canonical install URL or a link to the exact npm/GitHub package/release. Verify the repository and inspect its files before running any install commands. - Clarify what 'research and analyze' means and whether the skill will attempt to access external web services or your Amazon Seller Central account. The manifest does not request credentials, so any request to provide them should be treated as suspicious. - If you must try it, run any install in a sandboxed environment (isolated VM/container) and review the package contents first. - If you want a safer alternative, request an explicitly instruction-only skill (no npx/install line) or ask for the frameworks/methodology that were referenced but not included so you can evaluate the logic without running external code. Given the mismatch between the README and the registry metadata and the vague 'research' instruction, exercise caution and verify the source before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tv66v7vb0sk8x18sfxbe8s84h9fq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments