Ebay Review Checker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches a review-analysis tool, but its generated HTML report can execute untrusted content and it loads an unpinned third-party script.
Only analyze review data you are comfortable placing in a local HTML report. Treat generated reports from untrusted input carefully until the maintainer escapes HTML output and removes or pins the external Chart.js dependency. Also note that the code appears partly Amazon-oriented despite the eBay branding.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening a generated report from untrusted review data could execute attacker-controlled script in the report page.
The report generator inserts values directly into HTML without escaping. Because the skill analyzes user-supplied review text and report fields, malicious HTML or JavaScript in those fields could run when the generated report is opened.
<title>Review Analysis Report - {asin}</title> ... <strong>Summary:</strong> {summary} ... {d.get('detail', d.get('detail_zh', ''))}Escape all HTML output, render dynamic text with safe textContent rather than raw HTML, and add tests for script-tag and attribute-injection inputs.
When the report is opened, third-party JavaScript is fetched and run; if the CDN content changes or is compromised, it could read or alter the report page.
The generated report loads a remote JavaScript dependency from an unpinned CDN URL. That script executes in the same page that contains the analyzed review data, and this external dependency is not disclosed in SKILL.md.
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
Pin the Chart.js version with integrity checks, bundle a reviewed local copy, or clearly disclose the external script load and provide an offline option.
Users may overestimate how accurately the tool handles eBay-specific feedback patterns.
The skill is marketed as an eBay review checker, but the report template and analyzer terminology refer to Amazon and ASINs. This does not prove malicious behavior, but it weakens the eBay-specific claim.
<div class="asin">ASIN: {asin}</div> ... <p>Generated by Amazon Review Checker | Nexscope AI</p>Align the code, labels, and detection logic with eBay terminology and disclose any generic or Amazon-derived analysis limitations.