ClawHub

Best Shopify Stores

v1.0.1

Discover the best Shopify stores with PPSPY by filtering stores by traffic, revenue, language, region, theme, and single-product characteristics.

0· 57·0 current·0 all-time
by@fanyanggod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a Shopify-store discovery wrapper around PPSPY. Requiring PPSPY_API_KEY and listing npm (to install an MCP server) is coherent with that purpose.
Instruction Scope
SKILL.md only instructs the agent to use the PPSPY API and set PPSPY_API_KEY. However the metadata also includes an install block and an mcpServers entry that will run a local 'ppspy-mcp-server' process with the API key; this expands runtime behavior beyond a pure instruction-only skill and should be noted.
Install Mechanism
The SKILL.md requests a global npm install of 'ppspy-mcp-server@1.0.1'. Using npm is normal for Node-based tools, but global npm installs execute third-party code and modify the system PATH—verify the package source (npm package page, linked repository) before installing.
Credentials
Only PPSPY_API_KEY is required and that matches the stated integration. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false (no forced inclusion). The skill’s MCP server will run as a local process (per mcpServers metadata), which could be long‑running or open network ports—this is not inherently malicious but increases runtime footprint compared with a simple API client.
Assessment
This skill appears to do what it says, but it includes an instruction to globally install and run a third‑party npm package (ppspy-mcp-server) that will execute on your machine and use your PPSPY_API_KEY. Before installing: 1) Inspect the npm package page and linked repository (maintainer, version history, issues). 2) Prefer installing in a sandboxed environment or container rather than globally if you’re unsure. 3) Check what network ports/processes the MCP server opens and what data it transmits. 4) Limit the PPSPY_API_KEY privileges if possible and be prepared to rotate it if you observe unexpected behavior. If you want, provide the npm package homepage or repository URL and I can review it further.

Like a lobster shell, security has layers — review code before you run it.

latestvk97acsyxrpxqhf5gwjnmz3nmmx8433g9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnpm
EnvPPSPY_API_KEY
Primary envPPSPY_API_KEY

Comments