by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's description (live multi-carrier, platform-specific rate comparisons) doesn't align with what it requests or documents — it asks for no credentials or installs yet suggests capabilities that normally require account/API access, and its README recommends running an npx installer without an install spec in the registry.
评估建议
Before installing or using this skill: (1) Ask the author how live carrier/platform rates are obtained and whether any API keys or account credentials are required. Do not provide credentials until you understand where they are stored and who can access them. (2) Do not run the suggested npx install blindly — verify the npm package and its GitHub source first (review code, readme, and recent activity). (3) If you only want analysis without sharing secrets, provide anonymized sample orders or exp...详细分析 ▾
⚠ 用途与能力
The skill claims multi-carrier and platform-specific rate comparison and optimization (UPS, FedEx, USPS, DHL, Shopify, Amazon, etc.). However, no credentials, API keys, or platform integrations are declared. Real-time carrier rates, negotiated rates, and platform-specific shipping rules typically require account credentials or API access; the lack of declared requirements is inconsistent with the stated capabilities.
ℹ 指令范围
SKILL.md instructs the agent to collect user inputs, ask a single follow-up, and 'research and analyze' using internal frameworks. The instructions do not tell the agent to read local files or environment variables, nor do they name external endpoints, but 'research and analyze' is vague and could permit network requests. There is no explicit direction to exfiltrate data, but the open-ended wording grants broad discretion.
ℹ 安装机制
The registry metadata lists no install spec (instruction-only), but the SKILL.md contains an 'Install' example that runs an npx command to add an external package (nexscope-ai/eCommerce-Skills). Because that is just prose inside SKILL.md (not a declared install spec), it wasn't vetted by the registry. Suggesting npx installs in runtime docs is risky: an npm package could execute arbitrary code when installed. This is not flagged as malicious by itself but is a notable risk.
⚠ 凭证需求
The skill requests zero environment variables or credentials. For many of the advertised capabilities (carrier rate lookups, negotiated rates, platform-specific shipping rules), per-account credentials or tokens are normally required. The absence of any declared credentials is disproportionate to claimed functionality and should be clarified. If the skill only uses public benchmarks, that should be stated explicitly.
✓ 持久化与权限
The skill is not force-included (always: false), is user-invocable, and does not declare any persistent installs or modifications. There is no evidence it attempts to change other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/26
Beta release — functional skill for e-commerce AI agents. Built by Nexscope.
● 无害
安装命令
点击复制官方npx clawhub@latest install ecommerce-shipping-rates
镜像加速npx clawhub@latest install ecommerce-shipping-rates --registry https://cn.longxiaskill.com