Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Walmart Review Checker
v0.1.0Walmart review authenticity analyzer. Detect fake reviews, suspicious patterns, and rating manipulation. Includes WFS verified badge analysis, incentivized r...
⭐ 0· 59·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is advertised as a Walmart review analyzer, but multiple included files and strings refer to Amazon (file headers, 'Amazon Review Checker', ASIN, 'AmazonReviewAuthenticityDetection', report footer). This suggests either copy-paste reuse or mislabeling. The SKILL.md installation example uses an npx command to pull 'nexscope-ai/eCommerce-Skills', but registry metadata lists a different owner slug and there is no homepage/source URL. These inconsistencies make it unclear whether the code matches the claimed Walmart-specific functionality.
Instruction Scope
SKILL.md contains clear runtime instructions to run the bundled Python scripts (e.g., python3 scripts/analyzer.py) and a demo mode; the scripts parse review text and generate an HTML report. The instructions do not ask the agent to read unrelated system files or env vars. One caveat: SKILL.md recommends an npx-based install that would fetch code from a remote package — that network action is outside the local scripts' behavior and should be treated as an additional risk if followed.
Install Mechanism
No official install spec is provided in the package; it's instruction-only plus bundled scripts. However, SKILL.md suggests installing via an npx command (npx skills add nexscope-ai/eCommerce-Skills --skill walmart-review-checker -g), which would fetch code from a remote registry (npm) if executed. Fetching an external package via npx carries the usual supply-chain risks; because there is no homepage or authoritative source listed, that npx recommendation is disproportionate and should be treated cautiously.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the visible code does not reference environment secrets. That level of access is proportionate for a local analysis/reporting tool.
Persistence & Privilege
always:false and default invocation settings mean the skill is not force-included and does not request elevated persistence. The provided scripts produce local output (HTML) and reference a CDN for Chart.js in the generated report; they do not appear to modify other skills or global config.
What to consider before installing
This package looks like a local Python review-analyzer but has red flags: (1) many source strings mention Amazon (ASIN, 'Amazon Review Checker') while the skill is advertised for Walmart — this mismatch could be innocent copy-paste or indicate the wrong code was bundled; (2) SKILL.md suggests installing via npx from 'nexscope-ai/eCommerce-Skills' but the skill metadata lacks a homepage/source and the owner slug is unclear — fetching code from an unknown npm package has supply-chain risk. Before installing or running: verify the publisher on npm (or avoid the npx step and run the included scripts locally), review the full scripts for any network calls or subprocess usage (the visible portions appear local-only), run in an isolated environment (sandbox/container) if you want to test, and prefer to obtain the tool from a trusted source or repository with provenance. If you plan to use it for Walmart-specific signals, validate that the detection logic is actually tailored to Walmart (WFS badges, Walmart IDs) because current files show Amazon terminology (ASIN) which may limit correctness.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7bbvskyncppsrjyn5m8rp583c25k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.