Back to skill
Skillv2.0.0
ClawScan security
Shopify Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are coherent with a local Shopify guidance/utility tool; it does not request credentials or reach out to external endpoints, but it does persist user inputs locally so avoid entering secrets.
- Guidance
- This skill appears to be a local Shopify guidance/utility and is internally consistent. It does not contact external servers or ask for API keys, but its scripts create a data directory (default: $XDG_DATA_HOME/shopify-helper or $HOME/.local/share/shopify-helper) and write history.log and data.log that can contain whatever you pass to the tool. Before installing/using: (1) inspect the scripts yourself (they are plain bash), (2) avoid entering passwords, API keys, or other secrets into the tool, (3) you can set SHOPIFY_HELPER_DIR to point to a safe or ephemeral folder, and (4) periodically inspect or delete the data directory if you want to remove persisted inputs.
Review Dimensions
- Purpose & Capability
- okName/description match the provided content: the SKILL.md and scripts implement Shopify store setup, theme, product, SEO, app recommendations, and launch checklist. No unrelated binaries, services, or credentials are requested.
- Instruction Scope
- okSKILL.md is a static help/instruction document and the included bash scripts only print guidance and provide a small local CLI (setup/theme/product/seo/app/launch). There are no instructions to read system-wide secrets, network endpoints, or other unrelated files.
- Install Mechanism
- okThere is no install spec (instruction-only skill with shipped scripts). The included files are plain shell scripts; no remote downloads, package installs, or extract-from-URL steps are present.
- Credentials
- noteThe skill declares no required environment variables or credentials. The scripts respect SHOPIFY_HELPER_DIR and XDG_DATA_HOME/HOME to pick a data directory; they do not require tokens. However, the CLI persists inputs to files (data.log and history.log) in the data directory, so any sensitive input the user types or adds via the tool would be stored locally.
- Persistence & Privilege
- okalways:false and the skill does not request elevated privileges. It creates and writes to a per-user data directory (default: ${XDG_DATA_HOME:-$HOME/.local/share}/shopify-helper). This is expected for a local utility, but note the persistence of user-provided content.