Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dynamic Pricing for E-Commerce
v1.0.0Implement demand-, competitor-, and time-based dynamic pricing strategies with platform-specific tools and margin controls for optimized e-commerce pricing.
⭐ 0· 31·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims platform-specific integrations (Amazon, Walmart, Shopify), competitive intelligence, and automated repricing — capabilities that legitimately require access to seller/platform APIs and credentials. However, the registry metadata lists no required environment variables, no config paths, and no primary credential. That mismatch suggests the skill is incomplete or expects to obtain credentials/privileged access outside the declared metadata.
Instruction Scope
The SKILL.md is high-level and does not instruct the agent to read unrelated files or credentials, but it does include an 'Install' line telling the user/agent to run 'npx skills add nexscope/dynamic-pricing-ecommerce'. This directs the agent to fetch and run external code (npm) even though the registry entry has no install spec or code. The instructions are vague about what data, credentials, or network endpoints will be used by that external package.
Install Mechanism
The registry lists no install spec or code files, yet SKILL.md recommends installing via npx (which will pull a package from npm/unverified source). That is a higher-risk install pattern because it downloads and runs external code not visible in this registry entry. The package origin (nexscope/...) and its contents are not provided here, so you cannot audit what would be installed.
Credentials
For the claimed functionality (integrating with marketplaces, performing repricing, accessing sales/competitor data) you would normally expect explicit requirements for API keys, OAuth client IDs, or config paths. The absence of any declared env vars or credentials is disproportionate and unexplained — either the skill is non-functional as published or it expects to obtain secrets later (e.g., after installing the external package).
Persistence & Privilege
The skill does not request 'always: true' and does not declare system-level config changes. Autonomous model invocation remains allowed (platform default). The main persistence/privilege concern is that the SKILL.md's npx command would install an external package; that behavior is outside this registry entry but is notable.
What to consider before installing
This skill is incomplete and potentially risky as presented. Before installing or running the npx command: 1) Ask the publisher for the source repository or package page (GitHub/NPM) and review the code and README. 2) Verify the publisher identity (Nexscope) and inspect the npm package contents and recent releases for malicious patterns. 3) Do not hand over full account credentials — use least-privilege API keys or OAuth with revocable scopes for Amazon/Walmart/Shopify and confirm exactly which scopes are requested. 4) Prefer to audit the package in a sandbox or CI runner before use, and scan it with static analysis tools. 5) Request a clear list of required environment variables, network endpoints the skill talks to, and where data will be sent/stored. If the publisher cannot provide repository/source code or a clear list of required credentials and network flows, treat the package as unsafe to install.Like a lobster shell, security has layers — review code before you run it.
latestvk97a96cr2hx81xgzanh72tqjxh841r7j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.