ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Etsy Keyword Research

v1.0.0

Etsy search optimization — long-tail keywords, tag research, competitor analysis, seasonal trends

0· 47·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md content align: this is a strategy/advice skill for Etsy SEO and explicitly states it does not perform direct Etsy API access. The capabilities listed match the stated purpose and require no extra secrets or system access.
Instruction Scope
SKILL.md gives high-level, user-facing guidance (audits, recommendations, plans). It does not instruct the agent to read unrelated files, access environment variables, or exfiltrate data. It explicitly notes no direct Etsy API integration is performed.
Install Mechanism
Although the registry shows no install spec and the skill is instruction-only, the SKILL.md includes an 'Install' command that runs 'npx skills add nexscope-ai/eCommerce-Skills --skill etsy-keyword-research -g'. That command would fetch and run code from npm at install time. This is not represented in the registry metadata and introduces the usual risks of pulling external packages (arbitrary code execution).
Credentials
The skill declares no required environment variables, credentials, or config paths. The SKILL.md likewise does not ask for secrets or unrelated credentials, so requested access appears proportional to the described advisory function.
Persistence & Privilege
The skill is not always-enabled and has default autonomous invocation settings. It does not request persistent system-wide configuration or access to other skills' credentials. Nothing in the package indicates elevated persistence is requested.
Scan Findings in Context
[no_code_files_instruction_only] expected: No code files or regex scan findings were detected. This is expected for an instruction-only skill, but also means there is nothing local for the scanner to analyze.
[external_install_command_in_readme] unexpected: SKILL.md contains an npx install command pointing at an npm package (nexscope-ai/eCommerce-Skills). The registry metadata did not include an install spec; the presence of this command is noteworthy because it encourages fetching external code.
What to consider before installing
This skill appears to be an advisory Etsy SEO guide and is internally consistent, but the README tells you to run an 'npx' command that will fetch and execute code from npm — something not declared in the registry. Before installing or running that command, verify the npm package maintainer (nexscope-ai), inspect the package contents (or its npm/GitHub repo), and confirm you trust the source. If you only want the advisory guidance, you can use the skill as-is without running the npx install. Avoid providing Etsy credentials or other secrets unless you understand exactly how they're used and stored. If you're unsure, test the install in an isolated environment (container/VM) first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783vkvffyn5sb0mynvy9hx6x84taam

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments