by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's description (enrollment and automation for Amazon Subscribe & Save) doesn't line up with what it requests and documents — it contains vague 'research' instructions, references an npx install in SKILL.md while the registry provides no install spec, and yet requests no Amazon credentials that would be required for enrollment/automation.
评估建议
This skill may be purely advisory, or it may be claiming automation it cannot perform — treat it as unverified. Before installing or running it: (1) Ask the author (or the Nexscope links in SKILL.md) whether the skill performs account-level actions and, if so, which credentials it needs and how they are stored. (2) Do not provide Amazon seller credentials unless you confirm the skill's source and a clear, minimal scope for credential use (and prefer OAuth or short-lived tokens). (3) Verify the e...详细分析 ▾
⚠ 用途与能力
The skill claims capabilities like 'enrollment' and 'Subscribe & Save optimization' which in practice often require access to a seller's Amazon account or API credentials (SP-API/MWS) to enroll products or change listing settings. The skill declares no required credentials or config paths. That mismatch could mean the skill is only advisory (fine) or it's incomplete/misleading about automation capabilities.
ℹ 指令范围
SKILL.md instructs the agent to 'Collect information from the user's message' and to 'Research and analyze using the frameworks and methodology below' but doesn't define where research happens, what external tools may be used, or whether any account access will be performed. The instructions are high-level and grant the agent broad discretion (e.g., to use web research or other tools) without constraints.
⚠ 安装机制
There is no install spec in the registry, but SKILL.md includes an 'npx skills add nexscope/amazon-subscribe-save' command (pulling from an external namespace). That discrepancy is a red flag: either the registry entry is incomplete or the SKILL.md points to an external package not tracked by the registry. Installing via npx from an unverified source carries risk.
⚠ 凭证需求
The skill requires no environment variables or credentials. For purely advisory output that is reasonable. For actual enrollment/automation, missing any requirement for Amazon seller credentials is disproportionate. The absence of declared credentials leaves unclear whether the skill will ask users for secrets at runtime or cannot perform automation it advertises.
✓ 持久化与权限
The skill is not always-enabled and has no install spec that writes to disk (instruction-only). It does not request persistent privileged presence or modify other skills according to the registry data.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/9
Initial release
● 无害
安装命令
点击复制官方npx clawhub@latest install amazon-subscribe-save
镜像加速npx clawhub@latest install amazon-subscribe-save --registry https://cn.longxiaskill.com