ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Shop Affiliate Program

v1.0.0

Affiliate collaboration — commission structure, creator selection, sample management, performance tracking

0· 34·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's purpose (strategy and recommendations for TikTok Shop affiliate programs) matches the SKILL.md content. However, the README-style instructions include an install command referencing an external package (npx skills add nexscope-ai/eCommerce-Skills) even though the registry metadata lists no install spec — this is an inconsistency between what the skill advertises and the install guidance it provides.
!
Instruction Scope
SKILL.md promises to 'Analyze your current TikTok Shop setup' but provides no mechanism for accessing TikTok Shop data (no API integration, no declared env vars, and no instructions for obtaining safe read-only exports). The instructions are high-level and vague, which could cause an agent or human to request sensitive credentials or other broad access from the user to perform the promised analysis.
!
Install Mechanism
Although the registry metadata shows no formal install spec, SKILL.md instructs the user to run an npx command to add 'nexscope-ai/eCommerce-Skills'. That directs npx to fetch and run code from the npm/GitHub ecosystem; because the package source and contents are not provided in the registry, this introduces moderate risk. Users should not run npx on an unfamiliar package without inspecting its source.
Credentials
The skill declares no required environment variables, credentials, or config paths, which is proportionate for a guidance-only skill. There is no direct request for secrets in the manifest. The SKILL.md's suggestion to 'analyze' a shop is the main area where credentials might later be solicited, but the file does not itself request them.
Persistence & Privilege
The skill is not marked always:true and makes no requests to persist or modify other skills or system configuration. It is user-invocable and allows autonomous invocation (the platform default) but does not request elevated persistence privileges.
What to consider before installing
This skill is mostly an advisory/template for TikTok Shop affiliate programs, but it has two issues to consider before installing or using it: - Do not run the suggested npx install command until you verify the package: ask for the exact npm or GitHub repo URL, inspect the package source code, verify the publisher/maintainer, and review any install scripts. Running npx downloads and runs third-party code and can be risky. - The skill promises to 'analyze your current TikTok Shop setup' but provides no safe integration path. Do not share passwords, full API keys, or long-lived tokens. If analysis is required, prefer read-only exports (CSV/reports) or a temporary, least-privilege API token. Ask the skill author how data is accessed and whether they require any credentials. - If you want to proceed: request the maintainer's repository, check recent activity and issues, run the package in an isolated environment (container/VM), and prefer manual copy-paste of non-sensitive data over giving direct account access. If the author can supply a clear, auditable install package (link to a reputable npm/GitHub repo) and a documented, least-privilege method for providing shop data, the inconsistencies would be resolved; until then treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk973jg8c33drdtn8fqfb8ytea184rf80

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments