ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Review Analyzer

v1.0.0

Deep-dive Amazon review analysis. Extract sentiment patterns, recurring complaints, feature requests, and competitive insights from product reviews. Turn cus...

0· 72·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise is plausible for an analysis skill, but the SKILL.md lists many platforms (Amazon, Shopify, Walmart, etc.) that in practice require platform-specific access (APIs, scraping, or user-provided exports). The skill declares no required credentials, env vars, or config paths to obtain reviews, which is inconsistent with its claimed capabilities.
!
Instruction Scope
Runtime instructions are high-level and open-ended: 'Collect information from the user's message' and 'Research and analyze' without specifying how to fetch reviews or what external endpoints/tools are allowed. That vagueness gives the agent broad discretion (potentially to web-scrape or call unknown services) and does not constrain what data may be collected or transmitted.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk for this review, but the doc includes an 'npx skills add nexscope-ai/eCommerce-Skills' command. Running that npx command would fetch and execute code from an external npm package (not included here); the SKILL.md's suggested install is outside the declared skill bundle and should be treated as unverified until you inspect that package.
!
Credentials
The skill declares no required environment variables or credentials, yet supported platforms typically require API keys, tokens, or scraping. The absence of any declared credential requirements is disproportionate to the functionality and leaves unanswered how the skill will obtain review data. This increases the chance the agent will request user secrets ad-hoc or attempt uncontrolled web access.
Persistence & Privilege
No 'always: true' flag and the skill is user-invocable only. There are no install scripts or code in the bundle that would persistently modify agent configuration. From the provided files, the skill does not request elevated persistence or system-wide changes.
What to consider before installing
Before installing or using this skill, ask the provider how review data is supposed to be supplied: do they expect you to paste exports, provide API credentials, or allow the agent to scrape public pages? Do not run the npx install command unless you have inspected the referenced npm package. If you must provide platform credentials, give least-privilege API keys or scoped tokens (not full account passwords). Prefer supplying a CSV or dataset of reviews yourself rather than granting the agent broad web/scraping access. If you proceed, test in a sandboxed environment and request written documentation of data sources and privacy handling from the skill author.

Like a lobster shell, security has layers — review code before you run it.

latestvk97216wa8kx3wq4ehrtr751zb983k3yb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments