ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

E-Commerce Keyword Research

v1.0.0

Cross-platform keyword research for e-commerce. Discover high-converting keywords across Amazon, Shopify, Etsy, Google Shopping, TikTok Shop, and Walmart. An...

0· 87·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md all describe cross‑platform e‑commerce keyword research (Amazon, Shopify, Etsy, Google Shopping, TikTok Shop, Walmart, etc.). That claimed capability is plausible for an instruction‑only skill using public signals and heuristics. However, the skill advertises integrations with services that commonly require API credentials (Shopify, Amazon, Etsy) yet the registry metadata declares no required environment variables or primary credential — this omission is noteworthy and unexplained.
Instruction Scope
The SKILL.md confines runtime instructions to: collect product/platform/goals from the user, ask a single multi‑choice followup, perform research/analysis using stated frameworks, and return structured output. It does not instruct reading local files, system paths, or unrelated environment variables. However, it is vague about how 'research' is performed (web queries, scraping, third‑party APIs, or an external package), leaving the agent with broad discretion to fetch external data.
!
Install Mechanism
Registry shows no install spec (instruction‑only), but SKILL.md contains an explicit install line: `npx skills add nexscope-ai/eCommerce-Skills --skill ecommerce-keyword-research -g`. That directs users/agents to fetch and run external code via npx and perform a global install. This is inconsistent with the registry metadata and introduces risk: npx may execute arbitrary remote code, and a global (-g) install modifies system state. The skill package name should be verified (source, integrity, and contents) before running.
Credentials
The skill declares no required environment variables or credentials. Given the number of supported platforms (many of which typically require API keys/tokens for reliable data), this is either because the skill relies only on public signals/heuristics or because credentials would be requested at runtime or handled by the external package. The absence of declared credentials reduces transparency and may lead to unexpected prompts for sensitive tokens later.
Persistence & Privilege
The skill does not request always: true and has no OS restrictions or required config paths. As an instruction‑only skill with no install spec in the registry, it does not demand persistent platform privileges. The SKILL.md's suggested global npx install (if followed) would grant the installed package system presence, but that behavior is from the install command, not the registry metadata.
What to consider before installing
This skill looks like a legitimate e‑commerce keyword assistant, but exercise caution before installing or running anything it points to. Specific things to consider: 1) SKILL.md instructs you to run an `npx` command with `-g` (global install) even though the registry lists no install spec—verify the package source (GitHub repo and npm publishing account) and inspect its code before running it. 2) Many supported platforms (Shopify, Amazon, Etsy, etc.) normally require API keys — ask the author how credentials are handled and avoid entering sensitive keys into untrusted prompts. 3) The SKILL.md is vague about how it 'researches' keywords (web scraping vs official APIs); scraping can trigger rate limits or legal restrictions. 4) If you want to try it, prefer a non‑global, sandboxed install (inspect package contents locally) and review the linked GitHub repos (nexscope-ai/*). If you cannot validate the external package, treat the install step as risky and avoid running it.

Like a lobster shell, security has layers — review code before you run it.

latestvk976seve3bdb60j4725zet33j983j2q8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments