Skillv1.0.1

ClawScan security

Sellapp Autolist · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 2:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (auto-creating products on SellApp) and request only the SellApp API key; no unrelated credentials, installs, or hidden exfiltration were found.
Guidance: This skill appears to do what it claims: it will read your SellApp products and create the hard-coded catalog items if missing. Before installing: (1) Confirm you trust the skill author and that you want these specific products created (they will be set public by the script). (2) Provide a SellApp API key with the minimum necessary permissions and be prepared to revoke/rotate it if needed. (3) The skill does not include a scheduler — if you want it to run periodically you must configure scheduling yourself. (4) Review the product descriptions in the catalog (one item references building a 'sniper bot') to ensure they don't violate your policies or SellApp's terms. (5) Run the script first in a test account or sandbox, and ensure the requests library is available in your environment.

Purpose & Capability: okName/description state: auto-create products on SellApp v2. The included Python script calls SellApp's /products endpoints and uses SELLAPP_API_KEY; no unrelated services, binaries, or credentials are requested.
Instruction Scope: noteSKILL.md and the script focus on listing and creating products via SellApp API only. Minor inconsistencies: SKILL.md says “Runs on a schedule” but no scheduling mechanism is provided by the skill; SKILL.md directs saving the key in Zo settings (platform-specific) which aligns with the script expecting SELLAPP_API_KEY. The skill sets created products' visibility to public — users should confirm they want that.
Install Mechanism: okNo install spec (instruction-only with a small included script). The script requires Python and the requests library (documented). No downloads from arbitrary URLs or archive extraction.
Credentials: okOnly one credential is used: SELLAPP_API_KEY, which is appropriate for interacting with SellApp. No additional secrets or unrelated environment variables are requested.
Persistence & Privilege: okalways is false and the skill does not modify other skills or system-wide settings. It does not request permanent elevated presence.