Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
shopyo
v1.0.0Modular Flask framework for building scalable, maintainable web apps with isolated modules, event-driven communication, CLI tools, and built-in auth and data...
⭐ 0· 103·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md documents a modular Flask framework and CLI usage (shopyo, flask, DB commands). However the skill metadata lists no source or homepage and declares no required binaries or env vars. For a CLI-oriented framework, one would expect at least 'shopyo'/'flask' as required binaries or an install instruction or a trusted source — their absence is inconsistent.
Instruction Scope
The instructions tell the agent/user to run commands that modify the filesystem and local DB (shopyo initialise, db migrate/upgrade, clean, collectstatic). They also instruct setting env vars (SHOPYO_CONFIG_PROFILE, FLASK_ENV, FLASK_APP) that are not declared in metadata. While these actions are normal for a web framework, the skill grants no explicit constraints and the metadata omits these runtime expectations.
Install Mechanism
No install spec and no code files are present, so the skill is instruction-only and does not install anything itself. This lowers direct install risk, but also means the SKILL.md assumes external tools are already installed from elsewhere.
Credentials
The metadata declares no required environment or credentials, yet the instructions reference several environment variables to control behavior. The doc also documents a default admin email/password after initialization (admin@domain.com / pass) — useful for dev but insecure if used inadvertently in a non-isolated environment.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or system-wide settings. Autonomous model invocation is allowed by default but is not accompanied by extra privileges here.
What to consider before installing
This SKILL.md is effectively documentation for using the Shopyo CLI and framework rather than an installer. Before using/installing anything: (1) verify the official Shopyo project source or homepage and install the shopyo/flask packages from a trusted repository, (2) do not run 'shopyo initialise', 'clean', or DB migration commands on production data — they modify/reset databases and files, (3) change the documented default admin password if you initialize a site, (4) be aware the skill metadata does not declare the required binaries or env vars (SHOPYO_CONFIG_PROFILE, FLASK_ENV, FLASK_APP), so expect to manually provide/install them, and (5) if you expect an integrated skill (auto-install), treat this as purely documentation — request a version that includes a verified install spec or source URL before granting privileges or running commands.Like a lobster shell, security has layers — review code before you run it.
latestvk97fz8gr85nj5f18tyqwnx6vsd837g78
License
MIT-0
Free to use, modify, and redistribute. No attribution required.