ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amz Product Optimizer

v1.0.0

Use when user wants to optimize Amazon product listings, generate product images, improve titles, monitor CTR, or automate end-to-end Amazon product optimiza...

0· 73·1 current·1 all-time
by@simoncai519
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to call Taobao MCP for image generation and to monitor main-image CTR (which would normally require Amazon/Seller-Central access), yet the package declares no required environment variables, credentials, or endpoints. The inclusion of a Taobao service ID in documentation without any declared credential handling is inconsistent with the stated capabilities.
!
Instruction Scope
SKILL.md instructs the agent to 'scrape top keywords', 'generate images via Taobao MCP', read/write local product JSON/CSV, and 'schedule daily checks' for CTR. It does not specify which endpoints/APIs to use for keyword scraping or CTR retrieval nor how credentials should be provided or protected, leaving broad discretion to the agent and unclear data flows.
Install Mechanism
This is instruction-only (no install spec or code files). The references list Python packages and an MCP service ID but there are no concrete install steps. While instruction-only reduces immediate disk-write risk, the missing install and dependency guidance is inconsistent with the declared Python dependencies and expected runtime actions.
!
Credentials
No environment variables or primary credentials are declared, yet operations described (Taobao MCP calls, CTR monitoring likely against Amazon analytics) normally require API keys/credentials. The lack of declared credentials is disproportionate to the external services the skill intends to use.
!
Persistence & Privilege
The skill suggests scheduling daily CTR monitoring and updating product files, implying ongoing background activity. Although it does not set always:true, autonomous invocation plus the unclear mechanism for scheduling and data access increases the risk of persistent network activity or repeated file writes without explicit user consent.
What to consider before installing
Before installing or running this skill: (1) Ask the author to provide an explicit list of required credentials (Taobao/MCP, and Amazon/Seller Central or analytics) and how they will be used and stored. (2) Request a concrete install/runtime plan (how Python deps are installed, what scripts run, and where network calls go). (3) Do not hand over Amazon/Seller-Central credentials or broad API keys until you (or a reviewer) can inspect the code or scripts that will use them. (4) Clarify how CTR data is retrieved (API vs scraping) and whether the agent will perform scheduled background tasks — require explicit opt-in for daily monitoring. (5) Prefer running initial tests on a copy of your product file in an isolated environment. If the author cannot provide clear, verifiable details (code, install steps, or explicit credential requirements), treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d249217c0zp3mq2r3k636vh84rfx1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments