ClawHub

Ecommerce Website Data

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent ecommerce data lookup skill, but it requires an EcCompass API token and sends searches to EcCompass, including optional contact lookups.

Before installing, make sure you are comfortable giving the skill an EcCompass API token and sending your ecommerce research queries to EcCompass. Use a dedicated token, store it securely, and be careful with contact data returned by the service.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Info
What this means

The agent may return business contact names, emails, or LinkedIn profiles for requested domains.

Why it was flagged

The skill can retrieve contact information as part of its lead-generation purpose; this is disclosed and read-only, but users should be aware of the privacy/compliance implications.

Skill content
Lead Contacts — "Get decision-maker emails for this brand"
Recommendation

Use contact lookup only for appropriate business purposes and follow applicable privacy, consent, and anti-spam rules.

#ASI03: Identity and Privilege Abuse
Low
What this means

Anyone with access to the configured token could use the associated EcCompass API access or quota.

Why it was flagged

The setup flow asks the user to provide an EcCompass API token to the agent so it can configure the skill.

Skill content
Paste this to your OpenClaw agent and it will install the skill and configure the token for you: ... My APEX_TOKEN is: your_token_here
Recommendation

Use a dedicated/revocable token, avoid sharing it in public or shared chats, and rotate it if it may have been exposed.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Search terms, target domains, filters, and the API token are sent to EcCompass to perform the lookup.

Why it was flagged

The visible code sends API requests to the declared EcCompass service using the configured token and user-provided query/domain parameters.

Skill content
API_BASE = "https://api.eccompass.ai"
Recommendation

Do not submit confidential target lists or sensitive business research queries unless sharing them with EcCompass is acceptable.