Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Product Opportunity Analyzer
v1.0.0从电商评论中发掘产品机会。自动抓取商品1-3星评论,使用Map-Reduce策略提取痛点,生成产品洞察报告。当用户发送亚马逊商品链接时触发此技能。
⭐ 0· 49·1 current·1 all-time
by@zzhimin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to fetch Amazon reviews and analyze them, which matches the included script and SKILL.md workflow. However, both the SKILL.md and scripts rely on Bright Data (brightdata_amazon_product_reviews / api.brightdata.com) and an API key, yet the registry metadata declares no required environment variables or primary credential. Not declaring the Bright Data API key is an incoherence.
Instruction Scope
Runtime instructions explicitly direct the agent to call a Bright Data tool to fetch reviews, apply Map-Reduce and produce reports. The instructions do not ask for unrelated system files, but they assume a network-capable tool and credentials exist. The automatic trigger on receiving an Amazon link is expected for the described purpose but means the agent could autonomously send product URLs and review text to Bright Data without the skill declaring where the API key comes from.
Install Mechanism
This is an instruction-only skill with no install spec. The included Python script is simple and does not perform hidden installs. No inbound archive downloads or non-standard install locations are present.
Credentials
The script requires an API key (passed on the CLI) for Bright Data, and the SKILL.md references using Bright Data's tool, but the skill metadata lists no required env vars or primary credential. Requesting network access to a third-party scraping provider without declaring it is disproportionate and makes it unclear what secrets the skill needs or will transmit.
Persistence & Privilege
always is false, there are no config-path or system-wide modifications, and the skill does not request persistent/privileged presence. Autonomous invocation is allowed (platform default) but not combined here with broad undeclared credential access.
What to consider before installing
This skill uses Bright Data to fetch Amazon reviews and the included script requires a Bright Data API key, but the published metadata does not declare that credential — that's the main red flag. Before installing or using: (1) confirm with the author which credential(s) are required and why they weren't declared; (2) if you must provide an API key, create a least-privilege/test Bright Data key and monitor usage/costs; (3) understand that product URLs and review text will be sent to Bright Data (third-party) — evaluate privacy and compliance implications; (4) if you can't verify the owner or don't want to share a Bright Data key, avoid enabling the skill. If the author updates metadata to explicitly declare the Bright Data API requirement and its scope, re-evaluate then.Like a lobster shell, security has layers — review code before you run it.
latestvk97a3m0rc4yd45dnp6w3tnnm3s84e3t1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.