Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Walter SellerSprite API Integration
v1.0.0卖家精灵API对接模块。当用户需要对接卖家精灵(SellerSprite)API进行自动化数据获取时触发。支持获取市场统计、品牌集中度、价格分布、关键词数据、ASIN详情、竞品分析、评论数据等。需用户提供API密钥(secret-key),密钥申请地址:https://open.sellersprite.com/...
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill is an API client for SellerSprite and that purpose matches the code’s HTTP calls to api.sellersprite.com. However, the bundle includes a config.json with a plaintext secret_key (f678a3...), which contradicts the SKILL.md statement that the user must provide their own secret-key. The skill metadata declares no required credentials, yet the shipped config contains a usable API key. This is incoherent and risky (accidental key leakage or a developer test key embedded in the package).
Instruction Scope
SKILL.md instructions stay within the stated purpose (call SellerSprite endpoints and produce analysis). But the documentation offers multiple configuration methods that do not align with the implementation: SKILL.md suggests an environment variable SELLERSPRITE_KEY for direct key injection and also mentions SELLERSPRITE_CONFIG for custom config path; the code only looks for SELLERSPRITE_CONFIG (to find config.json) and does not read SELLERSPRITE_KEY. This mismatch could lead to accidental use of the embedded key.
Install Mechanism
No install spec; it's an instruction-only skill with a Python module included. Dependencies are minimal (requests). No remote downloads or obscure install URLs are present.
Credentials
The skill requests no declared environment variables or credentials in registry metadata, yet expects a secret-key at runtime. Worse, a plaintext secret is present in config.json inside the package. That is disproportionate and dangerous: checked-in secrets can be abused (cost/quotas, data access), and the skill does not clearly require or declare credentials as it should.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It does read a local config file packaged with the skill, which is normal for a client library.
What to consider before installing
Do not install or run this skill as-is. The package contains a plaintext API key in config.json — this may be a developer/test key or a leaked credential. Ask the author to: (1) remove any checked-in secrets and replace them with placeholders; (2) clearly document how to provide your own key (consistent env var name and/or config path); (3) confirm who owns the embedded key and rotate it if it was exposed. If you still want to use the skill, inspect the full scripts/sellersprite_api.py source locally, remove or neutralize config.json, and supply your own key (preferably via a secure secret store or passing it explicitly to the constructor). Run the code in a sandboxed environment and monitor outbound traffic and API usage after first use. If you relied on the embedded key prior to rotating it, consider that key compromised and rotate it on SellerSprite immediately.Like a lobster shell, security has layers — review code before you run it.
latestvk97e9k4r32vnk06m9akjqhynws84hrjd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.