ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

E-Commerce Competitor Analysis

v1.0.0

Cross-platform competitor analysis for e-commerce brands. Compare competitors across Amazon, Shopify, social media, and advertising channels. Build a complet...

0· 123·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and supported-platforms list align with an e‑commerce competitor-analysis skill. However, deep access to some platforms (Shopify stores, Amazon seller dashboards, ad accounts) normally requires API credentials; the skill requests no credentials, which is plausible for surface-level public research but means the skill either only uses public data or relies on the user to supply credentials later. This mismatch is worth noting but not a clear contradiction.
!
Instruction Scope
SKILL.md instructs the agent to 'research and analyze' without specifying allowed sources or collection methods, and includes an explicit shell command (npx skills add nexscope-ai/eCommerce-Skills -g). That command would download and run code from an external package/repo if executed; the instructions give broad discretion on where to gather data, which could lead to unexpected web scraping, API calls, or execution of external code.
!
Install Mechanism
There is no formal install spec in the skill package, but the documentation recommends running an npx install of an external package (nexscope-ai/eCommerce-Skills). Because this package/source is not verified here and no install spec is provided in the registry package, following that command would download/execute third-party code — a higher-risk install pattern if executed blindly.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for a public-data analysis assistant. If a user expects private/account-level analysis (ad accounts, seller consoles), they would likely need to provide credentials later; the SKILL.md does not explain how such secrets would be used or stored.
Persistence & Privilege
The skill does not request always:true or any special persistent privileges. Model invocation is allowed (the platform default). There are no config paths or other system-level modifications declared.
What to consider before installing
This skill appears to be a normal competitor-analysis assistant, but exercise caution before following the embedded install instruction. Do not run the suggested 'npx skills add nexscope-ai/eCommerce-Skills -g' unless you have inspected the npm/GitHub package and trust its publisher: that command will download and run third-party code. Ask the publisher for the package repository URL, review its code, and check npm/github provenance (maintainer, recent commits, issues) before installing. Clarify with the skill author how data will be collected (public web scraping vs. API access) and whether you need to provide any account credentials — never share sensitive keys unless you understand how they will be used and stored. Finally, be aware of platform terms of service for scraping and ad/marketplace data; if you need account-level analysis, prefer official APIs and vetted integrations.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dq197f236d1s9671jq585nd83jw6e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments