ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supply Chain Optimization Tiktok

v0.1.0

Supply Chain Bottleneck Analyzer for TikTok Shop sellers. Diagnose cash flow, inventory turnover, affiliate commissions, and return rates. Includes FBT cost...

0· 58·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included calculator code: both focus on supply-chain metrics for TikTok Shop. The SKILL.md documents optional TikTok API integration (shows env var names) but the skill metadata does not require any credentials; that is plausible for a tool that can run in 'manual input' mode, but it is an inconsistency worth noting because the docs imply capability that may only work if you run external code or provide credentials.
Instruction Scope
SKILL.md stays on-topic (metrics, benchmarks, inputs). It does reference TikTok API endpoints and example env vars, but the runtime instructions do not direct the agent to read unrelated system files or exfiltrate data. However, the docs instruct users to run an npx command to add 'nexscope-ai/eCommerce-Skills', which would fetch external code; that step is outside this skill bundle and could implicitly expand what runs on the host.
Install Mechanism
There is no explicit install spec in the bundle (instruction-only), and the included scripts/calculator.py appears to be local calculation code with no obvious network calls in the visible portion. The SKILL.md's suggested npx install command (npx skills add nexscope-ai/eCommerce-Skills) would pull code from npm when executed by a user — that's a separate risk to review before running.
Credentials
The skill metadata requires no environment variables or credentials, which aligns with a manual/calculator mode. SKILL.md, however, shows example TikTok credentials (TIKTOK_APP_KEY, TIKTOK_APP_SECRET, TIKTOK_ACCESS_TOKEN) for API integration; requiring such credentials would be expected only if you actually connect to TikTok. Because the bundle doesn't declare or automatically use them, be careful not to paste credentials into unknown or external installers.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills, and there is no install spec that writes to system locations. It appears to run as-needed without elevated persistence.
What to consider before installing
This skill appears to be a local calculator for TikTok Shop metrics (the included Python script does calculation work), but the README suggests installing an external npm package and shows TikTok API credentials as optional inputs. Before installing or running anything: 1) Verify the publisher/source for 'nexscope-ai/eCommerce-Skills' — don't run the npx command unless you trust that package. 2) Inspect the full scripts/calculator.py and any code pulled by the npx package for network calls, credential use, or unexpected behavior. 3) Never paste TikTok (or other) API keys into a tool unless you trust its code and origin; consider using test/limited-permission keys. 4) Run the code in a sandbox or isolated environment first. If you want, provide the full (untruncated) calculator.py or confirm whether this skill will ever call out to remote APIs automatically — that would change the assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e8qt6bgdfm0wre055kc4w5s83ckyv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments