ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brand Protection Shopify

v0.1.0

Shopify/DTC brand protection toolkit. Detect counterfeit stores, unauthorized resellers, and trademark violations. Includes DMCA takedown templates, domain m...

0· 65·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill is named and described as 'Shopify/DTC' brand protection, but the included scripts and templates are heavily Amazon‑centric (ASINs, Amazon Brand Registry, Brand Registry portal, Amazon-specific complaint steps). That mismatch (Shopify vs Amazon) is unexpected and suggests the package may not do what the name/description promise or may be repurposed from an Amazon tool.
!
Instruction Scope
SKILL.md tells the agent/user to run local Python scripts and shows an npx install command, but there is no install spec in the registry entry. The runtime instructions include test‑buy guidance and evidence collection (normal for brand protection) but do not document any network endpoints or credential use. The mismatch between installation guidance (npx) and the registry's 'no install spec' is inconsistent and should be clarified.
Install Mechanism
There is no formal install spec in the registry (instruction‑only), but SKILL.md suggests an npx command to add a package from 'nexscope-ai/eCommerce-Skills'. That is not enforced by the registry metadata and the skill currently includes Python scripts only. This is not inherently dangerous, but it's inconsistent and you should confirm the intended distribution method and package source (npm package vs direct code).
Credentials
The skill requests no environment variables, no credentials, and requires only standard Python modules visible in the files. The inputs SKILL.md asks for (brand name, trademark number, logo URL, social handles) are appropriate and not secret. No evidence of requests for unrelated credentials was found in the visible code.
Persistence & Privilege
The skill does not request persistent presence (always=false) and contains no install scripts or modifications to other skills or system-wide settings. Running the included Python scripts is a local, non‑privileged action.
What to consider before installing
Before installing or running this skill: (1) Clarify scope — the name/description say 'Shopify/DTC' but the code and templates reference Amazon (ASINs, Brand Registry). Ask the publisher which platforms are supported. (2) Confirm distribution — SKILL.md shows an npx install command but the registry entry has no install spec or homepage; verify the trusted source (npm package, GitHub repo, or official site) before running any install commands. (3) Inspect the full scripts for network calls or credential use (the provided snippets are local-processing and templates but portions were truncated); if network requests exist, verify endpoints and whether any secrets are transmitted. (4) Test in an isolated environment (non‑production machine) and review logs and outbound network traffic if you plan to run it on sensitive systems. (5) If you need Shopify‑specific workflows, ask for confirmation or a Shopify mode; otherwise expect Amazon‑focused behavior. If the publisher cannot explain these inconsistencies, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ed5mxt8cmhqykg3v75zz4z5838bm1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments