ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Walmart Listing Optimization

v1.0.0

Optimize Walmart Marketplace product listings for search visibility and conversion. Covers Walmart SEO, content quality scoring, rich media, and Walmart-spec...

0· 46·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md capabilities match: optimizing Walmart listings, content scoring, and comparison to other marketplaces. Supported-platforms list is broad but consistent with an e-commerce toolset.
Instruction Scope
Runtime instructions are narrowly scoped to collecting product info via follow-up questions and producing recommendations. However, the SKILL.md's 'Step 3: Research and analyze' is vague about data sources and the doc includes an 'Install' command that would fetch external code (npx nexscope-ai/eCommerce-Skills). The skill does not instruct reading local files or environment variables.
!
Install Mechanism
The manifest has no install spec, yet SKILL.md directs users to run 'npx skills add nexscope-ai/eCommerce-Skills --skill walmart-listing-optimization -g' and links to a Nexscope GitHub repo. That is an external install from a third party not reflected in registry metadata (source unknown). Running npx would download and execute remote code — this is a non-trivial risk and a mismatch between the registry record and the SKILL.md.
Credentials
No environment variables, credentials, or config paths are requested in the manifest or SKILL.md. Requested access appears proportionate to the stated functionality.
Persistence & Privilege
always is false and there are no indications the skill requests permanent presence or elevated agent-wide privileges. Autonomous invocation is permitted by default (not a concern on its own).
What to consider before installing
This skill appears to do what it says (Walmart listing optimization) and does not ask for credentials, but exercise caution before following the SKILL.md's install instruction. The document tells you to run an npx command that would fetch and run code from a third party (nexscope-ai/eCommerce-Skills) while the registry record lists source as unknown. Before running that command: 1) verify the npm package and GitHub repository ownership and review the package contents or source code; 2) confirm the package version and that the publisher is the expected organization (Nexscope); 3) prefer to inspect code in a sandboxed environment rather than running it globally (-g); and 4) avoid supplying any sensitive credentials to the tool. If you want higher assurance, ask the publisher for a verified homepage or source repo and a registry install spec, or request the skill author publish code to the registry so the install mechanism matches the manifest.

Like a lobster shell, security has layers — review code before you run it.

latestvk975rdev1ev3p2rhfgt7bjc1j583qxr7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments