ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Trending Products

v1.0.0

Discover trending products and rising categories on Amazon. Analyzes Best Seller Rank (BSR) patterns, new release momentum, seasonal trends, and emerging nic...

0· 74·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill promises BSR trend analysis, new-release tracking, and cross‑platform marketplace analysis, but the package declares no required binaries, no environment variables, and no access instructions for Amazon or other marketplaces. Accessing BSR or marketplace metrics normally requires an API (Amazon PA API) or scraping and credentials; none are declared or described, so the claimed capabilities lack a justified data source.
!
Instruction Scope
SKILL.md describes a runtime flow (collect user input, ask follow-ups, research/analyze) but does not specify how the agent should 'research' (which APIs to call, whether to scrape, or what external services to use). It does not instruct the agent to ask the user for data or credentials, nor does it limit what sources to consult — leaving broad, ambiguous authority to fetch external data.
!
Install Mechanism
Although the skill package itself has no install spec, the SKILL.md includes an npx install command (npx skills add nexscope-ai/eCommerce-Skills --skill amazon-trending-products -g). That suggests relying on an external npm/registry artifact or GitHub-hosted code not included in this skill bundle. Because the registry metadata contains no install details, that external install instruction is inconsistent and could pull arbitrary code if followed.
!
Credentials
No environment variables or credentials are declared despite the skill claiming to access Amazon, Shopify, Etsy, etc. A legitimate implementation would typically require one or more API keys/tokens (or explicit guidance to request them from the user). The absence of any declared credential is disproportionate to the stated cross‑platform data needs.
Persistence & Privilege
The skill does not request persistent or platform-wide privileges (always is false) and contains no instructions to modify other skills or global settings. Autonomous invocation is allowed by default (normal), but there is no evidence of additional dangerous persistence.
What to consider before installing
This skill's documentation promises Amazon data analysis but doesn't explain how it obtains the data. Before installing or using it: 1) Do not run the npx install command until you inspect the nexscope-ai package source (that command will fetch and execute code from outside this skill). 2) Ask the publisher how BSR and marketplace data are collected and which credentials or APIs are required. 3) If asked to provide Amazon/Shopify/etc. keys, verify the exact API calls and the minimal permissions required, and prefer scoped API credentials. 4) Review the external GitHub/npm package (nexscope-ai/eCommerce-Skills) for code quality and network/file operations. Because of these inconsistencies, treat the skill as suspicious until the author clarifies the data sources and install origin.

Like a lobster shell, security has layers — review code before you run it.

latestvk978k40pg5051a029rczmdfjk183jyt2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments