Skill Trust Decision

ecommerce-category-collector

Name: ecommerce-category-collector Trust Review Report
Item: ecommerce-category-collector
Rating: 55
Author: ClawSafe

Skill exposes hardcoded credentials in documentation, contains unused dangerous imports, and performs web scraping with unclear data handling practices.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 6

Artifacts 15

Violations 0

Findings 4

Most direct threat evidence

High Credential Theft

Hardcoded credentials in documentation

Real Audtools account credentials (username: 15715090600, password: zzw12345) are exposed in plain text in SKILL.md precondition section

SKILL.md:11

Why this conclusion was reached

1/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Review

Hidden execution and egress

15 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 0 attack-chain steps and 1 severe findings.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

Hardcoded credentials in documentation +20

SKILL.md lines 11-12 expose real Audtools account credentials (15715090600/zzw12345) in plaintext

Unused execSync import +15

scripts/collector.js imports child_process.execSync but never uses it - potential dormant capability

Web scraping automation +10

Automates data collection from third-party e-commerce sites without declared data handling policy

Most important evidence

High Credential Theft

Hardcoded credentials in documentation

Real Audtools account credentials (username: 15715090600, password: zzw12345) are exposed in plain text in SKILL.md precondition section

SKILL.md:11

Remove credentials from documentation and use environment variables or config files instead

Medium Sensitive Access

Unexplained child_process import

scripts/collector.js imports execSync from child_process module but never uses it - suspicious dormant code

scripts/collector.js:13

Remove unused imports or document the legitimate use case

Medium Doc Mismatch

Undeclared browser automation capability

SKILL.md does not declare the skill uses browser automation tools (browser:WRITE) - only mentions 'browser tool' in description

SKILL.md:1

Explicitly declare browser automation permissions in capability section

Low Doc Mismatch

External third-party data collection

Skill automates scraping of third-party e-commerce sites (zaraoutlet.top) without declaring data collection scope or handling policy

scripts/collector.js:37

Document what data is collected, how it's processed, and where it's stored

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred READ

scripts/collector.js:14 - fs.readFileSync

Browser Pass

Declared NONE

→

Inferred WRITE

scripts/collector.js:45-280 - browser.open/act/evaluate

Shell Pass

Declared NONE

→

Inferred READ

scripts/collector.js:13 - execSync imported but unused

Suspicious artifacts and egress

Medium External URL

https://img.shields.io/badge/version-1.0.0-blue

README.md:3

Medium External URL

https://img.shields.io/badge/OpenClaw-Skill-green

README.md:4

Medium External URL

https://img.shields.io/badge/license-MIT-orange

README.md:5

Medium External URL

https://zaraoutlet.top/collections/woman-collection-blazers

SKILL.md:47

Medium External URL

https://zaraoutlet.top/collections/woman-collection-bodies

SKILL.md:48

Medium External URL

https://www.audtools.com/users/shopns#/users/shopns/collecs?spm=m-1-2-3

SKILL.md:79

Medium External URL

https://zaraoutlet.top/collections/woman-collection-cardigans-jumpers

references/csv-format.md:45

Medium External URL

https://zaraoutlet.top/collections/woman-collection-co-ord-sets

references/csv-format.md:46

Medium External URL

http://shop.example.com/collections/all

references/csv-format.md:60

Medium External URL

https://www.example.com/collections/summer-dresses

references/csv-format.md:61

Medium External URL

https://www.audtools.com

scripts/collector.js:15

Medium External URL

https://www.audtools.com/login

scripts/collector.js:16

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
csv-parse	`^5.5.0`	npm	No	Version properly pinned

File composition

6 files · 1013 lines

JavaScript 1 files · 573 linesMarkdown 3 files · 406 linesJSON 1 files · 25 linesCSV 1 files · 9 lines

Files of concern · 5

scripts/collector.js JavaScript · 573 lines

Unexplained child_process import · External third-party data collection · https://www.audtools.com · https://www.audtools.com/login

references/csv-format.md Markdown · 156 lines

https://zaraoutlet.top/collections/woman-collection-cardigans-jumpers · https://zaraoutlet.top/collections/woman-collection-co-ord-sets · http://shop.example.com/collections/all · https://www.example.com/collections/summer-dresses

README.md Markdown · 150 lines

https://img.shields.io/badge/version-1.0.0-blue · https://img.shields.io/badge/OpenClaw-Skill-green · https://img.shields.io/badge/license-MIT-orange

SKILL.md Markdown · 100 lines

Hardcoded credentials in documentation · Undeclared browser automation capability · https://zaraoutlet.top/collections/woman-collection-blazers · https://zaraoutlet.top/collections/woman-collection-bodies · https://www.audtools.com/users/shopns#/users/shopns/collecs?spm=m-1-2-3

test/sample.csv CSV · 9 lines

https://zaraoutlet.top/collections/woman-collection-dresses · https://zaraoutlet.top/collections/woman-collection-jackets · https://shop.example.com/collections/all

Other files · package.json

Security positives

No reverse shell or C2 infrastructure detected

No base64-encoded or obfuscated code

No unauthorized access to system paths like ~/.ssh or ~/.aws

No cron/persistence mechanisms

No data exfiltration to unknown external IPs

Dependency csv-parse has pinned version (^5.5.0)

No typosquatting or supply chain risks detected