Skillv1.0.0

ClawScan security

Etsy Advertising · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 1:50 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only Etsy advertising strategy skill that is internally consistent: it provides advisory guidance, requests no credentials, and does not install or execute code by itself (the SKILL.md merely suggests an optional npx installation of a third-party package).
Guidance: This skill is advisory only and appears coherent with its stated purpose. Before installing anything: (1) you can use the skill's advice without running the npx command—installation is optional; (2) if you choose to run the provided npx install, verify the provenance of the package 'nexscope-ai/eCommerce-Skills' (author, npm/GitHub page, reviews) because npx will download and execute third-party code; (3) never provide your Etsy credentials or other secrets unless a tool explicitly requires them and you trust the publisher; and (4) if you want automated real-time integration with your shop, the SKILL.md states it does not perform Etsy API integrations—use an official integration or vetted tool for that functionality.

Review Dimensions

Purpose & Capability: okThe name/description (Etsy Ads strategy, budget/bid guidance) align with the SKILL.md capabilities (analysis, recommendations, implementation plans). The skill requests no credentials or unusual binaries, which is proportionate for a strategy/advisory skill that explicitly states it does not perform Etsy API integrations.
Instruction Scope: noteRuntime instructions are advisory and scoped to strategy and recommendations. They do not instruct the agent to read local files, environment variables, or call external endpoints other than linking to Nexscope. One note: the Install section recommends running an npx command to add a third-party package/CLI; that command—if run by a user—would fetch and execute remote code (but this is a user action outside the skill's automatic behavior).
Install Mechanism: noteThe registry contains no install spec, so the skill itself is instruction-only (low risk). However, SKILL.md suggests an npx-based install (npx skills add nexscope-ai/eCommerce-Skills --skill etsy-advertising -g). npx will download and execute remote package code from npm/GitHub when a user runs it; this is normal for CLI tooling but is an additional trust decision for the user.
Credentials: okNo environment variables, credentials, or config paths are requested. That matches the stated purpose (strategy/advice only) and the limitation that there is no Etsy API integration.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated privileges. disable-model-invocation is false (normal), and the skill does not try to modify other skills or system settings.