ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Omnichannel E-Commerce

v1.0.0

Develop and manage a unified omnichannel e-commerce strategy with inventory sync, branding, listings, order routing, pricing, and performance analysis.

0· 36·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims operational capabilities (inventory synchronization, listing management, order routing across Amazon/Shopify/Walmart/etc.) that in practice require API keys, store credentials, or connector code. However, the skill declares no required environment variables, config paths, or install artifacts that would perform those integrations. It reads as advisory/strategy-only despite promising management features.
Instruction Scope
SKILL.md contains planning and usage prompts and does not instruct the agent to read local files, environment variables, or send data externally. It stays high-level and appears limited to producing strategy/recommendations rather than performing integrations. That scope is internally consistent with the lack of credentials — but conflicts with the skill's operational wording.
Install Mechanism
There is no formal install spec, but the README suggests running `npx skills add nexscope/omnichannel-ecommerce`. That implies fetching code from a registry (npm or similar) if executed. Because no package source/homepage is provided in metadata and 'source' is unknown, blindly running the npx command could fetch and execute third-party code; inspect the package before running.
!
Credentials
No environment variables or credentials are declared despite the skill's stated need to manage marketplaces and sync inventory. If the skill actually connects to platforms, it should explicitly request the minimal necessary credentials and describe how they are stored/used. The absence of credential requirements is disproportionate to the claimed features.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not request system paths or elevated persistence. Autonomous invocation is allowed by default but not by itself a red flag here.
What to consider before installing
This skill appears to be an advisory/strategy-only tool despite promising operational integrations. Before installing or running any suggested npx command: (1) Confirm the publisher (Nexscope) and inspect the package source (npm/GitHub) to review code and permissions; (2) Do not run `npx` blindly—download and audit the package first or run it in an isolated environment; (3) Ask the author whether the skill performs direct platform integrations and, if so, which credentials it requires and how they are stored (least-privilege, encrypted); (4) If you expect actual inventory sync/listing management, prefer a skill that documents required API credentials and secure auth flows; (5) If you only want strategy, treat this as advisory and avoid giving any service credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711ym39w30jcttcn0t4gw9qs841gqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments