ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

lumenshop-deals

v1.0.0

Search Shopify products (shoes, clothes, bags) and present results as beautiful image+text product cards. Use this skill whenever the user wants to buy somet...

0· 23·0 current·0 all-time
byCarlos@carlos-zen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (search Shopify products and render product cards) match the included Bash script and SKILL.md. The script performs a POST to an API endpoint to fetch product hits and returns raw JSON as described.
Instruction Scope
SKILL.md instructs the agent to run scripts/skill.sh and parse its JSON output — that matches the bundle. Minor inconsistency: the script reads optional environment variables LUMENSHOP_API_URL and LUMENSHOP_API_KEY, but the skill's metadata declares no required env vars; the README does mention an API base URL and token via script flags, however these env variables are not documented in the top-level registry metadata.
Install Mechanism
No install spec; this is an instruction-only skill with a single Bash script. No downloads, package installs, or archive extraction. Low-risk installation footprint.
Credentials
The script accepts an API key and API URL via environment variables or flags (defaults to a public dev-key and https://lumenshop.vercel.app). No required credentials are declared. This is proportionate to a web-API querying skill, but the registry metadata does not advertise the optional env vars that the script will read if present.
Persistence & Privilege
Skill is not marked always:true and does not request persistent system-wide privileges or modify other skills. It makes outbound HTTP requests (expected for its purpose) but does not write to configuration or access unrelated system files.
Assessment
This skill appears to do what it claims: run a local Bash script that queries a LumenShop API and returns product JSON, which the agent then formats as product cards. Before installing, consider: (1) the script makes outbound requests to https://lumenshop.vercel.app by default — check LumenShop's privacy/trustworthiness if you care about query data leaving your environment; (2) you can override the API URL and API key via flags or the LUMENSHOP_API_URL / LUMENSHOP_API_KEY env vars (these env vars are used by the script but not declared in the registry metadata); (3) results include clickable URLs and image links — treat them like any third-party links and avoid entering sensitive info on unknown stores. If you want tighter control, request that the publisher document the env vars in metadata or allow using an internal/owned API endpoint and key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edm4veenzevg8sxmwmnka0n8487vm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments