Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sales Tracking Tool
v1.0.0Track and analyze e-commerce sales performance across platforms. Set up KPI dashboards, trend analysis, and performance alerts to catch issues and opportunit...
⭐ 0· 65·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims cross-platform sales tracking (Amazon, Shopify, Walmart, etc.) and alert/dashboard setup, which normally requires API access, connectors, or software to run. However, the skill metadata declares no dependencies, no install spec, and no required credentials. The SKILL.md includes an 'Install' command that references a separate npm package (nexscope-ai/eCommerce-Skills), but that external dependency is not declared in the registry metadata. This mismatch means the skill as-published does not actually contain or request the resources typically needed to perform the claimed integrations.
Instruction Scope
The runtime instructions themselves are limited to conversational steps (collect info, ask a single follow-up, analyze, produce output). They do not instruct the agent to access local files, environment variables, or external APIs directly. However, the SKILL.md suggests the user run 'npx skills add nexscope-ai/eCommerce-Skills', which implies installing external code that might perform the integrations; that external action is outside the skill's declared scope and should be clarified.
Install Mechanism
There is no declared install spec in the skill metadata (lowest-risk), but SKILL.md instructs users to run an npx command that installs code from an external package. Because the registry entry does not declare this package as a dependency or provide an official install mechanism, the presence of an ad-hoc npx install line is a red flag: it points consumers to execute an external installer that has not been recorded or vetted here.
Credentials
The skill requests no environment variables or credentials, which is inconsistent with its stated capability to integrate with many e-commerce platforms (which normally require API keys, tokens, or store credentials). The absence of declared credentials could be benign if the skill is purely advisory, but combined with the install hint it suggests missing/undeclared requirements that should be documented and justified.
Persistence & Privilege
The skill does not request always-on presence and is user-invocable with normal autonomous invocation allowed. There is no indication it attempts to modify other skills or system-wide settings.
Scan Findings in Context
[no-code-in-skill] expected: The regex scanner found nothing because this is an instruction-only skill (SKILL.md only). This is expected, but it means the SKILL.md content is the primary surface for assessing risk.
What to consider before installing
Before installing or using this skill, ask the publisher (or check the referenced GitHub/npm package) for details: 1) Does the skill actually install nexscope-ai/eCommerce-Skills? If so, inspect that package's source and releases on GitHub before running npx. 2) Which API keys or store credentials are required to enable cross-platform tracking, and how/where should they be provided? Avoid pasting live credentials into chat; prefer scoped API keys, read-only tokens, or uploading sanitized exports. 3) Confirm whether the skill will store or transmit your sales data to third-party services and where backups/exports are kept. If the publisher can't clearly explain the external package and credential needs, treat the skill as incomplete and do not run external installers or share sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97avexqmfv2xh872fmebyvy9x83nk3q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.