Identifies winning e-commerce products by analyzing social trends, regional demand, marketplace data, and prepares WooCommerce or Shopify store drafts accord...
Security Analysis
high confidenceThe skill's declared requirements and runtime instructions are internally consistent with a product-research/orchestration purpose; nothing indicates intentional misdirection or unrelated credential requests, though it will install and call upstream tooling and APIs so you should review those upstream skills and API scopes before use.
The name/description (e‑commerce product research + store draft creation) matches the requested binaries (node, npx for CLI orchestration) and the three API keys (trend provider, Google Places, api-gateway). The listed upstream skills (tavily-search, goplaces, api-gateway, shopify/woocommerce) align with the stated workflow.
SKILL.md limits actions to trend scanning, regional checks, marketplace gating, sourcing checks, and optional draft creation via api-gateway. It only reads the declared env vars (it even instructs explicit preflight checks) and describes blocked/fallback behavior when connections are missing. There are no instructions to read arbitrary system files or unrelated credentials.
The skill is instruction-only (no packaged install), but the runtime instructions call npx to install other ClawHub skills (network download + execution). This is expected for a Node/CLI-based orchestration skill, but it means code will be fetched at install time — review the referenced upstream skills before running those npx install commands.
The three required env vars (TAVILY_API_KEY, GOOGLE_PLACES_API_KEY, MATON_API_KEY) directly map to the services the skill says it will use. The SKILL.md also documents that an API key alone may not be sufficient for api-gateway (OAuth app connections required), which limits unilateral power of a single key.
The skill does not request always:true and is user-invocable only. There is no indication it will change other skills' configs or request permanent system-level privileges.
Guidance
This skill appears to do what it claims, but it orchestrates other tools and will download upstream skills via npx. Before installing or running it: (1) verify and trust the referenced upstream skills (tavily-search, goplaces, api-gateway, shopify) — inspect their code and permissions; (2) provide API keys scoped to the minimum necessary permissions (avoid giving full-account keys where scoped keys are available); (3) be aware api-gateway requires additional OAuth connections for store operations — giving MATON_API_KEY alone is not sufficient but still provides access to that gateway; (4) prefer running this in an isolated environment or sandbox if you want to limit blast radius; and (5) note shopify is marked under maintenance in the skill, so prefer WooCommerce or manual deployment until upstream support is confirmed.
Latest Release
v1.0.0
Major update: Transformed the skill from a general product-building toolkit into a focused orchestration tool for scouting, validating, and preparing e-commerce winning products. - Renamed and repositioned as "product-spy" targeting e-commerce trend and dropshipping use cases. - Completely rewrote purpose, workflow, and rules for orchestrating discovery, validation, and store listing based on data signals from integrated skills. - Added strict input requirements, failure handling, API key checks, and output contracts for transparency and reliability. - Enforced explicit outputs at each pipeline stage: trend analysis, regional demand, competition check, sourcing, creative, deployment. - Removed most previous files and product frameworks in favor of a coordinated, code-driven orchestration model. - Clearly documented integration, prerequisites, and troubleshooting steps for required APIs and marketplace connectors.
More by @h4gen
Published by @h4gen on ClawHub
