ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon FBA Operations

v1.0.0

Amazon FBA seller operations for private label and wholesale sellers. Inventory alerts, reorder point calculations, listing optimization, PPC budget tracking...

0· 28·0 current·0 all-time
by@joshbuildswithdoit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise automated daily/weekly monitoring and actionable reports that normally require access to Amazon Seller Central (inventory, orders, advertising reports) or other data feeds. The skill declares no credentials, no config paths, and no install — so either it expects all data to be provided manually in chat, or the skill omits required integration mechanisms. This is a mismatch between claimed capabilities and requested access.
Instruction Scope
SKILL.md keeps instructions narrowly on FBA tasks and asks the user to provide top ASINs, reorder lead times, ACoS targets, supplier contacts, and budgets. It does not instruct the agent to read local files, environment variables, or external endpoints. However, it asks for supplier contacts (PII) and operational details that users should not paste into chat lightly. Also, automated 'daily' or 'weekly' checks are implied but no mechanism for scheduling or data retrieval is provided.
Install Mechanism
No install spec and no code files — lowest-risk installation footprint. Nothing is written to disk and there are no external packages or downloads to evaluate.
!
Credentials
The skill requests no environment variables or credentials. For the advertised automated features this is disproportionate: legitimate automation would normally require API credentials (Amazon SP-API/MWS or advertising API) or a connector. The absence of credential requirements means the skill cannot perform continuous integration tasks unless users manually supply all data each time.
Persistence & Privilege
always is false and default autonomous invocation is allowed (normal). The skill does not request persistent presence or system-wide config changes, so it does not demand elevated platform privileges.
What to consider before installing
This skill reads like a checklist/consultant that expects you to paste business data into chat, not a connector that will auto-pull from Seller Central. Before installing or using it, ask the publisher how it obtains live sales/ad/inventory data (SP-API/MWS, OAuth connector, or manual input). Do not paste AWS/Shopify/Amazon credentials or sensitive supplier contact details into chat — prefer OAuth flows and documented integration methods. If you need automated daily monitoring, prefer a skill that explicitly documents secure integration and a privacy/data-retention policy and asks for credentials via a secure OAuth flow rather than in-chat. If you proceed, test with non-sensitive/sample data first and ask whether the skill stores or transmits your inputs and where.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dcfxpds7zm02095j1pba22s84z5gf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments