ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

E-Commerce Shipping Rates

v1.0.0

Compare and optimize shipping rates across carriers and fulfillment methods. UPS, FedEx, USPS, DHL rate comparison, zone optimization, and shipping strategy...

0· 136·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims multi-carrier and platform-specific rate comparison and optimization (UPS, FedEx, USPS, DHL, Shopify, Amazon, etc.). However, no credentials, API keys, or platform integrations are declared. Real-time carrier rates, negotiated rates, and platform-specific shipping rules typically require account credentials or API access; the lack of declared requirements is inconsistent with the stated capabilities.
Instruction Scope
SKILL.md instructs the agent to collect user inputs, ask a single follow-up, and 'research and analyze' using internal frameworks. The instructions do not tell the agent to read local files or environment variables, nor do they name external endpoints, but 'research and analyze' is vague and could permit network requests. There is no explicit direction to exfiltrate data, but the open-ended wording grants broad discretion.
Install Mechanism
The registry metadata lists no install spec (instruction-only), but the SKILL.md contains an 'Install' example that runs an npx command to add an external package (nexscope-ai/eCommerce-Skills). Because that is just prose inside SKILL.md (not a declared install spec), it wasn't vetted by the registry. Suggesting npx installs in runtime docs is risky: an npm package could execute arbitrary code when installed. This is not flagged as malicious by itself but is a notable risk.
!
Credentials
The skill requests zero environment variables or credentials. For many of the advertised capabilities (carrier rate lookups, negotiated rates, platform-specific shipping rules), per-account credentials or tokens are normally required. The absence of any declared credentials is disproportionate to claimed functionality and should be clarified. If the skill only uses public benchmarks, that should be stated explicitly.
Persistence & Privilege
The skill is not force-included (always: false), is user-invocable, and does not declare any persistent installs or modifications. There is no evidence it attempts to change other skills or system-wide settings.
What to consider before installing
Before installing or using this skill: (1) Ask the author how live carrier/platform rates are obtained and whether any API keys or account credentials are required. Do not provide credentials until you understand where they are stored and who can access them. (2) Do not run the suggested npx install blindly — verify the npm package and its GitHub source first (review code, readme, and recent activity). (3) If you only want analysis without sharing secrets, provide anonymized sample orders or exported rate tables instead of account credentials. (4) Prefer skills that declare required env vars and an explicit install spec in the registry so you can audit what will be installed. (5) If you proceed, run the install in a sandbox or review package contents before global install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cfe962b3xgy298sp3sk3b6s83nsem

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments