ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Subscribe & Save

v1.0.0

Subscribe & Save optimization — enrollment, discount tiers, frequency optimization, retention analysis

0· 59·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims capabilities like 'enrollment' and 'Subscribe & Save optimization' which in practice often require access to a seller's Amazon account or API credentials (SP-API/MWS) to enroll products or change listing settings. The skill declares no required credentials or config paths. That mismatch could mean the skill is only advisory (fine) or it's incomplete/misleading about automation capabilities.
Instruction Scope
SKILL.md instructs the agent to 'Collect information from the user's message' and to 'Research and analyze using the frameworks and methodology below' but doesn't define where research happens, what external tools may be used, or whether any account access will be performed. The instructions are high-level and grant the agent broad discretion (e.g., to use web research or other tools) without constraints.
!
Install Mechanism
There is no install spec in the registry, but SKILL.md includes an 'npx skills add nexscope/amazon-subscribe-save' command (pulling from an external namespace). That discrepancy is a red flag: either the registry entry is incomplete or the SKILL.md points to an external package not tracked by the registry. Installing via npx from an unverified source carries risk.
!
Credentials
The skill requires no environment variables or credentials. For purely advisory output that is reasonable. For actual enrollment/automation, missing any requirement for Amazon seller credentials is disproportionate. The absence of declared credentials leaves unclear whether the skill will ask users for secrets at runtime or cannot perform automation it advertises.
Persistence & Privilege
The skill is not always-enabled and has no install spec that writes to disk (instruction-only). It does not request persistent privileged presence or modify other skills according to the registry data.
What to consider before installing
This skill may be purely advisory, or it may be claiming automation it cannot perform — treat it as unverified. Before installing or running it: (1) Ask the author (or the Nexscope links in SKILL.md) whether the skill performs account-level actions and, if so, which credentials it needs and how they are stored. (2) Do not provide Amazon seller credentials unless you confirm the skill's source and a clear, minimal scope for credential use (and prefer OAuth or short-lived tokens). (3) Verify the external install command (npx nexscope/...) by inspecting the package or repository on GitHub/domain and confirming the publisher identity; avoid running npx from unknown packages. (4) If you only want recommendations, provide product-level data (sales, conversion, pricing) rather than account credentials. Additional information that would raise confidence: a published install spec tied to a verified repo, a privacy/dataflow statement explaining if/how seller credentials are used, or explicit confirmation that the skill is advisory-only (no account changes).

Like a lobster shell, security has layers — review code before you run it.

latestvk977q849s1kpgx235tr4wjzjdh84ghv6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments