ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Competitor Price Analysis

v1.0.0

Analyze competitor pricing strategies across e-commerce platforms. Map price positions, identify pricing gaps, evaluate price elasticity signals, and develop...

0· 64·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill promises automated price mapping across many platforms (Amazon, Shopify, eBay, Walmart, etc.). That capability normally requires either platform APIs or web-scraping code and sometimes credentials. The registry shows no code, no install spec, and no required credentials, which is inconsistent with the stated capability. Additionally, the SKILL.md includes an npx install command (nexscope-ai/eCommerce-Skills) while the published registry bundle contains no install artifact — this mismatch is unexplained.
Instruction Scope
Runtime instructions are high-level: collect product info from the user, ask a single follow-up, then 'research and analyze' using unspecified frameworks. The instructions do not specify how to obtain competitor pricing (which APIs, scraping tools, or user-supplied data), nor do they request the credentials that might be needed for deeper data access. This vagueness could be harmless (expecting public research) or could hide that an additional package is required; it should be clarified.
!
Install Mechanism
The SKILL.md tells the user to run an npx command to install nexscope-ai/eCommerce-Skills, but the registry entry contains no install spec and no code files. If the skill truly requires installing an npm package, that package should be declared and inspected — the current absence is an inconsistency and raises supply-chain concerns (unknown package source, global install flag in example).
Credentials
The skill declares no required environment variables or credentials. That can be reasonable for analyses based on public product pages, but for reliable cross-platform, real-time pricing (or store-owner APIs) credentials are often needed. The absence of declared credentials isn't proof of malicious intent, but the documentation should state whether it relies solely on public data or needs API keys.
Persistence & Privilege
The skill does not request always:true, does not declare privileged config paths, and is user-invocable. There are no signs it requires elevated or persistent agent privileges from the registry metadata.
What to consider before installing
Don't install or run unknown npm packages globally based solely on this SKILL.md. Ask the maintainer for: (1) the actual code repository or npm package URL and a link to the package tarball; (2) a clear description of what data sources the skill will access (public pages vs. authenticated APIs) and which credentials, if any, are required; (3) whether the agent will need web-browsing or scraping tools and how scraped data is stored/transmitted. If you consider installing the suggested npm package, review its source code first, or run it in a sandboxed environment. If you only want analysis, prefer providing exported competitor price data (CSV/URLs) rather than granting broad scraping or API access until you can inspect the implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mtabesz2a9ra8jqxy7krc983k4yr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments