ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Product Differentiation Tiktok

v0.1.0

TikTok Shop product differentiation strategy tool. Analyze viral product trends, competitor affiliate strategies, content performance, and identify different...

0· 57·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (TikTok Shop differentiation) matches the included analyzer script logic (review/pattern extraction). However, the skill metadata says 'no required binaries' while SKILL.md instructs running python3 scripts/analyzer.py — the runtime implicitly requires a Python 3 interpreter. Also SKILL.md includes an 'npx skills add' installation command referencing an external npm package that is not declared in the registry install spec, creating a small coherence gap.
Instruction Scope
Runtime instructions are to run the bundled Python analyzer with product/competitor info or interactively. The SKILL.md does not instruct reading unrelated system files or environment variables. That said, the doc is vague about where competitor data (shop IDs, comments, sales data) must come from; the visible portion of analyzer.py implements local NLP on reviews, but the file is truncated — the script may include network/scraping code elsewhere. Because data collection sources are unspecified, it's unclear whether the skill will attempt to fetch data from external endpoints (TikTok or other services) or expects the user to provide all raw data.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which is low risk. However SKILL.md suggests installing via 'npx skills add nexscope-ai/eCommerce-Skills' (an npm package) — that external installer is not declared in the registry metadata. The included Python script means no external fetch is required to run analysis, but the presence of an undocumented npx install command is inconsistent and should be treated with caution.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The provided SKILL.md also states 'No API key required.' The visible analyzer.py code processes in-memory data and does not reference environment secrets in the shown portion. This is proportionate to the stated offline analysis purpose.
Persistence & Privilege
The skill is not set to always:true and uses default autonomous invocation settings. It does not request persistent system privileges in metadata. Nothing in the provided files indicates it would modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to be a local Python analysis tool and mostly matches its description, but take these precautions before installing or running it: - Inspect the full scripts/analyzer.py file (the provided snippet is truncated) to confirm there are no network calls, hardcoded endpoints, or data-exfiltration logic. Look for imports like requests, urllib, aiohttp, selenium, or subprocess and any code that opens sockets or posts data. - Expect to run python3 — the registry declared no required binaries but the SKILL.md expects Python. Ensure you run it in a controlled environment (container or VM) if you don’t trust the source. - The README suggests an 'npx skills add ...' installer that isn’t declared in the registry. Don’t run that npm command unless you verify the npm package identity and its contents from a trusted source. - If you will feed real competitor/shop IDs or customer comments, confirm whether the tool fetches data automatically (and from where). If it does, ensure credentials or API keys are not needed or are stored securely. - Prefer running the script on sanitized or sample data first. If you’re not comfortable auditing the code, run it in an isolated sandbox and monitor outbound network activity. If you can provide the remainder of analyzer.py, I can re-scan it for network activity, subprocess usage, or hidden endpoints — that would raise confidence and could change the verdict.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d2baspxsv17e9wbmf6v362h83da75

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments