ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Firm Ecommerce Pack

v1.0.0

Curated skill bundle for e-commerce platforms, D2C brands and marketplace operators. Activates the firm pyramid with Marketing, Commercial, Operations and En...

0· 432·3 current·3 all-time
by@romainsantoli-web
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description and SKILL.md are aligned: the skill is a sector bundle that provides prompts, routing profiles and recommended companion installs for e‑commerce orchestration. It does not request unrelated credentials or binaries.
Instruction Scope
SKILL.md contains prompts, a suggested agent config (workspace path under ~/.openclaw) and recommends installing several ClawHub packages via npx. The runtime instructions themselves do not instruct reading system secrets or unrelated files, but the recommended npx installs (user-initiated) will fetch external packages and the workspace path may cause files to be written under the user's home if the agent follows the overlay.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is automatically downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables, no primary credential and no config paths. It does list internal OpenClaw tools (sessions_send/sessions_spawn/sessions_history) in metadata; these are plausible for an orchestration bundle but you should confirm what those tools permit in your platform.
Persistence & Privilege
always is false and default autonomy settings are used. The skill suggests a workspace path but does not force persistent installation or request elevated privileges. Nothing in the manifest indicates it will modify other skills or system-wide settings.
Assessment
This skill is instruction-only and appears coherent with its ecommerce orchestration purpose, and it does not request secrets. However: (1) The publisher/source/homepage are missing — there's limited provenance so treat it with caution. (2) The SKILL.md recommends running several npx install commands; those will download and run third‑party code — review each package and its source before executing. (3) The suggested workspace path (~/.openclaw/workspace/ecommerce-firm) could create files in your home directory if followed — verify and sandbox if needed. (4) The metadata lists session tools (sessions_send/sessions_spawn/sessions_history); confirm what platform-level access those tools permit in your environment. If you plan to install the companion packages, validate their reputations and required credentials (e.g., ActiveCampaign, Airtable, Stripe integrations) before providing API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vw21jjnf4tdhdkw1b7nnj58213d8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments