Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
E-Commerce Social Media Monitor
v1.0.0Monitor social media mentions, trends, and competitor activity for e-commerce brands. Set up listening workflows across Reddit, TikTok, Instagram, Twitter/X,...
⭐ 0· 71·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and listed capabilities (keyword/hashtag setup, sentiment, competitor tracking, etc.) are coherent with a social-media monitoring skill. However, the SKILL.md references many platforms (e.g., Shopify, Amazon, TikTok, Instagram) without declaring any platform credentials or APIs; that's plausible if the skill only provides guidance based on user-provided info or public data, but it is ambiguous whether live API access or store credentials are expected.
Instruction Scope
The runtime instructions are high-level and tell the agent to 'research and analyze' using provided frameworks, but they do not specify permitted data sources or boundaries. That vagueness grants the agent broad discretion (web/API calls, third-party services) which could lead to unexpected external network access or requests for credentials. The SKILL.md also includes an explicit 'npx skills add ...' install command (an instruction to run an external package) which is outside the skill's declared metadata and increases risk.
Install Mechanism
There is no formal install specification in the skill metadata (the skill is instruction-only), which is low-risk. However, the README's example tells users to run 'npx skills add nexscope-ai/eCommerce-Skills ...' — an external npm installation step that would execute third-party code. Because that install instruction is embedded only in SKILL.md and not enforced by metadata, it is a potential vector for arbitrary code execution if a user follows it.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to an instruction-only guidance skill. Note: real-time monitoring across some platforms often requires API keys; the absence of credential requests means the skill can operate only on user-supplied info or public data unless it later asks for tokens.
Persistence & Privilege
The skill does not request 'always' presence and has no install-time persistence specified. Autonomous invocation is allowed by default but is not combined with other privilege escalations here.
What to consider before installing
This skill appears to be a high-level social-listening assistant rather than a connector that directly accesses your accounts, but you should proceed cautiously: 1) Do not run the npx install command or any third-party installer until you verify the package and its publisher (inspect the npm package and linked GitHub repo). 2) Expect the agent to ask for clarifying questions; never provide full account passwords — use read-only, scoped API tokens if you must grant access. 3) Ask the publisher (or check their GitHub) what exact data sources and APIs the skill will use. 4) If you need live monitoring that integrates with your stores or social accounts, prefer setting up official API keys with least privilege and test in a sandbox first. 5) If you are uncomfortable with the external npx package, ask the skill to operate only on user-provided data and public posts rather than installing anything.Like a lobster shell, security has layers — review code before you run it.
latestvk9754yd7cv7khcvjd3mg15t69d83nvra
License
MIT-0
Free to use, modify, and redistribute. No attribution required.