ClawHub

PPSPY: Shopify spy for dropshipping & shopify sales tracker tool

v1.0.3

Search and analyze Shopify stores, Facebook ads, ad monitoring, and sales tracking using PPSPY e-commerce intelligence API. Find winning products, spy on com...

1· 144·0 current·0 all-time
by@fanyanggod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the resources required: PPSPY_API_KEY is the primary credential and npm is required to install the ppspy MCP server that exposes the listed tools. The requested items are coherent with an integration to the PPSPY API.
Instruction Scope
SKILL.md stays within the skill's stated purpose: it instructs the user/agent to set PPSPY_API_KEY and to install/run ppspy-mcp-server. It does not ask the agent to read unrelated files or other credentials.
Install Mechanism
Installation is via npm install -g ppspy-mcp-server@1.0.1 (a third‑party package from the npm registry). This is a normal distribution method but means arbitrary code from that package will be written to and executed on the host — a moderate installation risk that warrants inspection of the package source or running it in an isolated environment.
Credentials
Only PPSPY_API_KEY is required and is the declared primary credential; that is appropriate for an API-backed spy/tracking tool. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not force installation (always:false) but the MCP server will be run by the agent when invoked. That gives the skill a local process that can access the network and the provided API key — consider the elevated runtime surface that creates.
Assessment
This skill appears to do what it claims, but it installs and runs a third‑party npm package (ppspy-mcp-server) on your machine and will use your PPSPY_API_KEY. Before installing: 1) verify the npm package and its publisher (review source code on GitHub or the package page), 2) avoid global installs if you can—use a container, VM, or a non-global virtual environment, 3) limit and monitor the API key (use a key with least privilege and rotate it if needed), and 4) review network/egress controls if you are concerned about a background process communicating externally.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wvh4wwtjfsvkb360w02ym9842a18

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnpm
EnvPPSPY_API_KEY
Primary envPPSPY_API_KEY

Comments