Skillv1.0.0

ClawScan security

Amazon Variation Strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 9, 2026, 8:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (Amazon variation strategy); it is instruction-only, requests no credentials, and contains no install spec — though its runtime instructions are high-level and the README suggests an external npx install command that isn't part of the registry entry.
Guidance: This skill appears coherent and low-risk: it only contains instructions and asks no credentials. Before installing or running anything the SKILL.md suggests, verify the source (the README links to Nexscope GitHub pages — inspect those repos), and if you plan to run the provided 'npx' command, review the npm package contents and code first. Expect the agent to perform web research or use its tools when asked to 'research and analyze'; avoid pasting sensitive account credentials or proprietary data into the conversation. If you need higher assurance, request the skill's implementation code or a concrete list of data sources/methods from the author before use.

Review Dimensions

Purpose & Capability: okName, description, and SKILL.md content align: the skill describes parent-child variation planning and the instructions focus on collecting product context, asking follow-ups, and producing recommendations for Amazon marketplaces.
Instruction Scope: noteSKILL.md contains high-level steps (collect user info, ask one multi-choice follow-up, 'research and analyze using the frameworks and methodology below') but does not specify external endpoints, files, or credentials. The vagueness grants broad discretion to the agent about how it 'researches' (e.g., web queries or internal tools), so reviewers should be aware the agent may perform web lookups or use other agent capabilities when executing the skill.
Install Mechanism: noteRegistry lists no install spec and there are no code files (instruction-only). SKILL.md nevertheless suggests running 'npx skills add nexscope/amazon-variation-strategy' — this is documentation only, not an install entry in the registry. That mismatch is not dangerous by itself but you should verify the npm package and repository before running any npx command.
Credentials: okSkill declares no required environment variables, no credentials, and no config paths. Nothing in the instructions asks for secrets or unrelated credentials.
Persistence & Privilege: okSkill is not marked always:true and uses default model-invocation permissions. That is normal; the skill does not request elevated persistence or access to other skills' configs.