Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Amazon Seller Intelligence Machine: Find Winning Products, Spy on Competitors and Dominate Any Niche in 30 Minutes
v1.0.0Scrapes 10 Amazon data sources to identify winning products, analyze competitors, find review gaps and keywords, and automate buyer follow-up for seller succ...
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to orchestrate 10 Apify scrapers, use Claude AI for synthesis, and build automations in GetResponse. All three of those external services normally require API keys/accounts and explicit configuration. The skill declares no required env vars, no primary credential, and no config paths — that is incoherent with the described purpose. The SKILL.md also contains affiliate/tracking links for Apify and GetResponse, which suggests monetization but is unrelated to technical requirements.
Instruction Scope
The SKILL.md (truncated in the package) instructs scraping many external sources and building automated buyer follow-up sequences. It does not appear to instruct the agent to read local system files or other unrelated credentials, which is good. However, the instructions rely heavily on external APIs and services; the skill does not document how API tokens are to be supplied or used, nor does it specify what user data (e.g., buyer emails) will be collected, stored, or transmitted to third parties.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install mechanism. Nothing is written to disk by an installer in the bundle.
Credentials
The skill requires access to Apify, GetResponse, and potentially Claude; all normally need API credentials or account-level access. Yet requires.env and primary credential are empty. That mismatch is a red flag: either the SKILL.md omits required sensitive inputs (bad practice), or the skill expects the platform/agent to use its own credentials (potentially exfiltrating user data through the platform) or to use public/uncredentialed scrapers (unlikely). The affiliate/tracking links in SKILL.md are another non-credential but privacy-related element to note.
Persistence & Privilege
always is false and there is no install behavior or requested system-wide configuration. The skill does not request permanent presence or elevated platform privileges in the provided metadata.
What to consider before installing
This skill claims to run multiple Apify scrapers and to set up GetResponse automations, but it declares no API keys or config for those services — that mismatch is suspicious. Before installing or invoking it, ask the author these questions: (1) exactly which API keys/tokens are required (Apify, GetResponse, Claude) and why; (2) where and how those credentials will be provided/stored (env vars, OAuth, or entered interactively); (3) whether any buyer/customer PII (emails, order data) will be accessed or exported and to which third parties; and (4) whether the affiliate links or tracking IDs in the SKILL.md cause any data to be routed through third-party affiliate endpoints. Only proceed if the author provides a clear credential input schema and limited-scope tokens, a privacy/data-handling description, and example API calls showing no hidden endpoints. If you must test, use throwaway accounts and minimal-scope API keys.Like a lobster shell, security has layers — review code before you run it.
latestvk97fabn9x7bgnc1y31rrmfgnn983t28z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.