ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Competitive Pricing Strategy

v1.0.0

Create and optimize data-driven pricing strategies using competitor analysis, psychological pricing, margin optimization, and dynamic repricing across market...

0· 38·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and SKILL.md content are aligned: the skill describes competitor analysis, margin calculations, and dynamic repricing. However, some claimed capabilities (competitor price monitoring, multi-marketplace dynamic repricing) typically require marketplace API access or web scraping — yet the skill declares no required credentials or config. This is plausible for an instruction-only skill (it may expect the agent or user to supply data), but it reduces transparency.
Instruction Scope
SKILL.md itself contains only high-level guidance and example prompts; it does not explicitly instruct the agent to read local files or exfiltrate data. But it is vague about data sources and methods for 'competitor price mapping and monitoring' and 'dynamic repricing' — leaving broad discretion to fetch data from external sites/APIs or to request user credentials. That open-endedness increases risk if an agent is granted autonomous access or if a user supplies credentials without understanding scope.
!
Install Mechanism
The SKILL.md includes an 'Install' line recommending: npx skills add nexscope/competitive-pricing-strategy, but the registry entry contains no install spec and no code files. That mismatch is concerning: the README is instructing users to run an external npx command that would fetch and execute code not present in this skill bundle. This could be outdated documentation or an attempt to steer users to an external package — either way it is a transparency and supply-chain risk.
Credentials
The skill declares no required environment variables or credentials. Yet practical use (Amazon, Shopify integrations; fee/margin calculations; MAP compliance checks) commonly requires API keys or store credentials. The lack of declared credentials isn't necessarily malicious, but it means the skill does not disclose what secrets it may later ask the user to provide, which reduces the ability to make an informed decision.
Persistence & Privilege
The skill is not force-enabled (always:false) and uses default model invocation behavior. There is no install spec or code that would persist on disk in this registry entry. These defaults are normal and do not add unexpected privileges by themselves.
What to consider before installing
Before installing or using this skill, consider the following: - Do not run the npx install command unless you trust the source and have inspected the package it would fetch — this registry entry contains no code, so the SKILL.md's npx instruction may point to external code you haven't reviewed. Running npx will download and execute code from the network, which is higher risk. - Expect the agent or the skill to ask for marketplace credentials (Amazon SP-API/MWS, Shopify API keys, etc.) or permission to access competitor websites. Only provide credentials if you understand exactly what will be accessed and why, and prefer time-limited or least-privilege credentials. - Clarify with the author how competitor pricing data is collected (API, licensed data provider, or web scraping). Scraping competitors or automated repricing can have legal or Terms-of-Service implications (and MAP/antitrust risks). - Ask the publisher for an install spec, source code, or a canonical package URL so you can audit what would be installed. If they cannot provide that, treat the npx instruction as a red flag. - If you want a lower-risk setup: request a version of the skill that documents required credentials, data sources, and provides code for review, or use the skill only interactively (do not grant it autonomous agent control). What would change this assessment: published code or an install spec in the registry matching the SKILL.md 'nexscope' package, and clear declarations of what credentials and data sources are required and how data is accessed. With those, the skill could move to benign if everything matches and no external, unexpected code execution is required.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a616dq73f9m7fef0pkycm7s8411kg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments