ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Repricing Strategy

v1.0.0

Amazon repricing strategy advisor — competitive pricing rules, Buy Box optimization, margin protection, and repricing tool selection. Builds custom repricing...

0· 42·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and runtime instructions align: it asks the user for seller details and provides repricing rules, tool recommendations, and KPIs. Nothing in the SKILL.md requests unrelated system access or credentials.
Instruction Scope
Instructions are limited to asking the seller for SKU counts, categories, margins, current repricing approach, then producing strategy output. The skill does not instruct the agent to read system files, environment variables, or call external endpoints on its own.
!
Install Mechanism
Registry metadata shows no install spec and no code files, yet SKILL.md includes an 'npx skills add nexscope/amazon-repricing-strategy' install command. That suggests installation would fetch and execute code from npm/GitHub (external network). The registry entry itself provides no package provenance, homepage, or verified owner to confirm the source—this is a potential supply-chain risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. Its prompt flow asks for user-provided seller details (which is appropriate). There is no unexplained request for API keys or system secrets in the SKILL.md.
Persistence & Privilege
The skill does not request always: true and has default autonomy settings. It does not indicate it will modify other skills or system settings. No excessive persistence or elevated privileges are declared.
What to consider before installing
This skill appears functionally coherent and instruction-only, which is lower-risk. However: (1) the SKILL.md recommends installing via an npx command even though the registry lists no install spec or homepage—npx will fetch and run remote code, so verify the package/source before running it. (2) The publisher and homepage are unknown; inspect the npm package/GitHub repo, read package.json and README, and confirm the maintainer identity and recent activity. (3) The skill may later ask you to integrate with Amazon Seller Central—do not paste your Seller Central credentials into chat; instead use official integrations or platform-provided secure credential inputs. If you cannot verify the package owner or source, avoid running the npx install and prefer a skill with clear provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97an2jvytf4rp0acdxe205z3h84dt4g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments