ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dropshipping Product Research

v1.0.0

Product research for dropshipping businesses. Identify profitable products with reliable suppliers, healthy margins, and manageable competition. Evaluates sh...

0· 83·1 current·1 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and supported platforms align with a product-research skill. The skill does not request unrelated credentials or system access in the registry metadata.
Instruction Scope
SKILL.md stays within product-research tasks (ask follow-ups, analyze, produce recommendations). The research step is vague and implicitly expects web-based market data; it does not instruct reading local files or secrets, but allows broad web queries which could fetch arbitrary external data.
!
Install Mechanism
There is no install spec in the registry, yet SKILL.md suggests running `npx skills add nexscope-ai/eCommerce-Skills --skill dropshipping-product-research -g`. That npx command would fetch and run remote code (higher-risk). The registry metadata should declare any install; the mismatch is an incoherence and merits manual review of the external package/repo before running.
Credentials
The skill declares no required environment variables or credentials. This is proportionate to an instruction-only research skill. Note: accessing platform APIs (Amazon, Shopify, etc.) would normally require credentials, but the SKILL.md does not request them.
Persistence & Privilege
always:false and normal invocation settings. The skill does not request persistent system-wide privileges in the registry metadata. The suggested global npx install (if run) could create persistent tooling, so treat that as an operational decision rather than a registry-declared privilege.
What to consider before installing
This appears to be a coherent dropshipping research skill, but take these precautions before installing or running it: - Do not run the npx install command until you verify the package and repository (nexscope-ai/eCommerce-Skills). Inspect the GitHub repo and npm package contents and history. - Prefer to run any untrusted package in a sandbox or container rather than installing globally (-g). - The skill declares no credentials; do not provide API keys or tokens unless you understand why they are needed. If asked later for keys, prefer read-only and short-lived credentials. - Because the SKILL.md's research step is vague, ask the maintainer which public data sources are used (APIs, scraping, third-party services). If you rely on specific data, request transparency about sources and methods. - If you want a safer test, ask the maintainer for a minimal, local-only example or for the code to review before installation. If you want, I can help locate the referenced GitHub repo and list specific files to review or produce a checklist for manual code inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bms5r0nxws8p2ccnbd23w2183jkn0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments