Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Review Monitoring
v1.0.0Set up systematic review monitoring across e-commerce platforms. Track new reviews, detect negative review spikes, monitor competitor reviews, and automate r...
⭐ 0· 50·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to set up cross-platform review monitoring (Amazon, Etsy, Shopify, Walmart, etc.), which normally requires platform APIs, seller accounts, or scraping tools. However, the registry shows no required credentials, no binaries, and no install spec — a mismatch between claimed capabilities and the resources requested. This could be legitimate if the skill only provides playbooks and guidance, but the description reads like it will perform active monitoring, which would require additional access.
Instruction Scope
SKILL.md describes a conversational workflow (collect user info, ask follow-ups, research, deliver recommendations). It does not instruct the agent to read local files, environment variables, or remote credentials, nor does it include explicit API calls. That keeps runtime scope limited to advisory/research tasks, but the phrasing ('Set up systematic review monitoring') is ambiguous about whether the skill will actually connect to platforms or merely advise on setup.
Install Mechanism
There is no install specification in the registry (instruction-only), which is low-risk. The SKILL.md includes an npx command referencing an external package (nexscope-ai/eCommerce-Skills). That suggests an external install path outside the registry; the absence of an official install spec in the skill package is an inconsistency users should notice before running any npx command.
Credentials
No environment variables, credentials, or config paths are required per the manifest. That is disproportionate to the claimed capability of actively monitoring multiple e-commerce platforms, which normally requires API keys, OAuth tokens, or account access. The lack of requested credentials may mean the skill is only advisory — but the manifest does not make that explicit.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false) and is user-invocable only. There is no indication it modifies other skills or system settings. This dimension is acceptable.
What to consider before installing
This skill reads like a consultant that produces plans rather than a connector that actually polls your seller accounts — but that distinction is not explicit. Before installing or running anything: 1) Don't supply account credentials to this skill until you confirm whether it intends to connect to platform APIs; 2) Verify the nexscope-ai package and GitHub links referenced in SKILL.md before running any npx install command (confirm maintainer identity and review code); 3) If you expect live monitoring (automatic alerts, scraping, or API polling), require explicit instructions about where credentials are stored and what network endpoints will be contacted; 4) Consider legal/ToS issues for scraping competitor reviews and ensure compliance; 5) If you want an advisory-only skill, treat this as a planning tool and not a service that will access your accounts. If the publisher can clarify whether the skill performs live integrations (and provide an install spec and required credential list), that would change this assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk975ps1ntys73s04zpskqtsqa183n98a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.