ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brand Protection Walmart

v0.1.0

Walmart brand protection toolkit. Detect unauthorized sellers, counterfeits, and MAP violations. Includes Walmart Brand Portal reporting, WFS seller monitori...

0· 61·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is advertised as 'Walmart brand protection', but the code and templates use Amazon-specific concepts: ASIN, FBA, Buy Box, Amazon Brand Registry URLs, and 'Amazon.com' in legal templates. This is a strong mismatch — either the README is wrong or the code was repurposed from an Amazon tool. A Walmart tool should reference Walmart item identifiers and Walmart Brand Portal APIs, not ASINs and Amazon Brand Registry.
Instruction Scope
SKILL.md instructs running local Python scripts (python3 scripts/detector.py and templates.py). The scripts are local and generate detection output and complaint templates. The templates include detailed guidance for 'test buys' (create separate buyer accounts, use alternate shipping addresses) and legal text referencing Amazon — these are in-scope for brand-protection but may be sensitive operational guidance. I did not see (in the truncated content) explicit network calls or calls that exfiltrate credentials, but the full scripts were truncated and could contain web-scraping or HTTP requests; that should be verified before running.
Install Mechanism
No install spec — this is instruction-only with bundled Python scripts. That minimizes supply-chain risk (no external downloads). However, the included scripts will run on your machine when invoked, so they should be reviewed for network or subprocess calls before execution.
Credentials
The skill declares no required environment variables or credentials. That is plausible for an offline analysis tool, but inconsistent with the advertised capability to 'file Brand Portal reports' (reporting typically requires credentials or manual steps). Also, because the code is Amazon-centric despite the Walmart label, it's unclear what credentials (if any) are actually needed. Confirm whether the tool will prompt for or attempt to access any credentials or endpoints at runtime.
Persistence & Privilege
The skill does not request any persistent/always-on privilege (always: false). It appears to be user-invoked scripts with no install-time persistent components.
What to consider before installing
Do not run these scripts on production systems yet. The package claims to target Walmart but the code/templates are Amazon-specific (ASIN, FBA, Amazon Brand Registry). Before installing or running: 1) ask the publisher to explain the Walmart/Amazon mismatch and provide the full, untruncated source; 2) review the scripts for any network calls, HTTP endpoints, or subprocess usage (e.g., requests, urllib, subprocess.exec) — if present, verify where data is sent; 3) if you want a Walmart tool, request a version that uses Walmart identifiers/APIs; 4) if you must test it, run in an isolated environment (VM/container) and do not provide any credentials or sensitive env vars until you confirm what the tool needs. If the author cannot justify the discrepancy, treat the skill as unreliable and avoid using it for automated reporting.

Like a lobster shell, security has layers — review code before you run it.

latestvk971jg44qxf79wcn09shpn5erd839dcr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments