ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ecommerce Advertising

v0.1.0

Full-funnel e-commerce advertising planner for cross-channel campaigns. Covers keyword research, competitor ad analysis, audience insights, campaign architec...

0· 113·2 current·2 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and runtime instructions (keyword research, competitor analysis, audience insights, campaign architecture) are consistent with an e-commerce advertising planner. However, SKILL.md claims to be built by 'Nexscope' and provides an npx install command for 'nexscope-ai/eCommerce-Skills' while the registry shows a different owner ID and no homepage; this publisher/install mismatch is unexpected and should be verified.
Instruction Scope
Instructions stay within the advertised scope: they instruct the agent to parse product/business details and to use web_search and web_fetch to gather public web data (Amazon pages, Facebook Ads Library, competitor sites, Reddit, etc.). There are no instructions to read local files, request credentials, or access unrelated system state.
!
Install Mechanism
The registry contains no install spec and the skill is instruction-only, but SKILL.md includes a recommended npx install (npx skills add nexscope-ai/eCommerce-Skills --skill ecommerce-advertising -g). That command would download and execute external npm code from an external namespace not present in the registry metadata. Because the registry doesn't provide an install artifact or verified source, running the suggested npx command could introduce arbitrary third-party code — verify the package, its publisher, and contents before running.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The instructions explicitly say 'No API key required.' The data access the skill requests (public web pages) aligns with its stated functionality.
Persistence & Privilege
The skill does not request 'always: true' and uses default autonomous invocation settings. It does not ask to modify other skills or system-wide settings. Autonomous invocation is normal for skills.
What to consider before installing
This skill appears to do what it says (build ad strategies using public web data), but the SKILL.md suggests running an npx install for 'nexscope-ai/eCommerce-Skills' while the registry provides no install package or homepage. Before installing or running that npx command: 1) Verify the npm package name and publisher on the npm registry (or GitHub) and confirm it's from the company you expect. 2) Inspect the package contents (source code) for unexpected network calls, credential collection, or scripts that run on install. 3) Do not run the npx command blindly — npx executes remote code. 4) If you only want the instruction-only skill, you can use the SKILL.md content without running external installers. If the publisher/contact is unclear, ask the publisher to provide a verified distribution or a homepage. If you need higher assurance, avoid installing the external package or run it in an isolated environment (VM) after inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ermrscgwrkmmejdb5nr66j583bhf0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments