ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Product Research

v1.0.0

Comprehensive Amazon product research and opportunity analysis. Evaluate market demand, competition intensity, profit potential, and entry barriers for any p...

0· 126·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and listed capabilities are consistent: this is an Amazon/e‑commerce research assistant that estimates demand, competition, and profit potential. Nothing requested in the registry (no env vars, no binaries) contradicts the stated purpose.
Instruction Scope
The runtime instructions say to 'research and analyze' but do not specify data sources or methods (Amazon public pages, Amazon APIs, third‑party datasets, or paid services). That leaves open whether the skill expects the agent to scrape websites, call external endpoints, or ask the user for credentials — none of which are declared. The SKILL.md does ask the agent to collect product and user info via a follow-up question (which is expected).
!
Install Mechanism
Although the registry lists no install spec, SKILL.md includes an 'npx skills add nexscope-ai/eCommerce-Skills ...' install command that would pull code from npm/GitHub. This is traceable but would run code from an external package not included in the registry metadata; the discrepancy is a risk because the package could install arbitrary code. The instruction to run npx globally (-g) increases the blast radius.
Credentials
The skill declares no required environment variables or credentials, which is proportionate to a generic research assistant. However, deeper integrations (Shopify, WooCommerce, seller central APIs) would normally require API keys not declared here — the SKILL.md does not request those explicitly.
Persistence & Privilege
The skill does not request always:true and does not declare any configuration or system path changes. Default autonomous invocation is allowed (platform default) but not combined with other privilege escalations.
What to consider before installing
Before installing or running this skill: 1) Verify the upstream package/repo (nexscope-ai/eCommerce-Skills) on GitHub and the npm publisher to ensure you trust the maintainer. 2) Avoid running the suggested 'npx ... -g' globally until you inspect the package contents; prefer installing in a sandboxed environment or reviewing the package code first. 3) Never provide account credentials (Amazon Seller, Shopify API keys, etc.) unless the skill explicitly documents why they are needed and you trust the publisher. 4) Ask the maintainer how data is collected (API vs scraping) and whether any third‑party services are used. 5) If you plan to rely on it for business decisions, audit the underlying data sources and fee calculations. If you can share the upstream repository or published npm package URL, I can re-evaluate and raise or lower the risk rating.

Like a lobster shell, security has layers — review code before you run it.

latestvk9774de3cwaz6vw55mc62d212x83jw0e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments