ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

shopify library & shopify spy tool

v1.0.1

Search Shopify stores and products with PPSPY. Use this skill as a general Shopify library and Shopify spy tool for store, product, theme, and category resea...

0· 47·0 current·0 all-time
by@fanyanggod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Shopify spy tool) match the single required env var PPSPY_API_KEY and npm binary. Requesting an API key for ppspy is coherent with the stated purpose.
!
Instruction Scope
The SKILL.md contains an install block that instructs running `npm install -g ppspy-mcp-server@1.0.1` and defines an mcpServer entry to run `ppspy-mcp-server` with your API key. That means the skill intends to install and execute third-party code and run a local server/process — more intrusive than a purely instruction-only integration and not fully documented elsewhere.
Install Mechanism
Installation is via a global npm package (ppspy-mcp-server@1.0.1). npm installs are common but come from an external package (publisher unknown here). This is moderate risk: code will be written to disk and executed, but it is not a direct download from a random URL or archive extract.
Credentials
Only PPSPY_API_KEY is required which fits the service. However, that API key will be passed to a third‑party server process installed locally; the package will have live access to the key and may transmit it to ppspy's API or other endpoints.
Persistence & Privilege
always is false (normal). The install uses `-g`, which writes global binaries (may require elevated permissions) and will create a running process if the MCP server is started. The skill does not declare other system-wide config changes, but it does request persistent local installation and execution.
What to consider before installing
This skill appears to be what it says (a PPSPY-backed Shopify intelligence tool) but it instructs you to globally install and run a third‑party npm MCP server that will have your PPSPY_API_KEY. Before installing: 1) Verify the npm package publisher and inspect the package source (GitHub link or package files) for unwanted behavior; 2) Prefer installing/running it in an isolated environment (container or VM) rather than the host system; 3) If possible, use a dedicated/limited PPSPY API key or account with minimal permissions and monitor its usage/credits; 4) Confirm that the registry metadata should include this install step (there's a mismatch between the registry summary and SKILL.md); and 5) If you don't trust the package author or cannot review the code, decline or request a version that uses direct API calls (no local server install).

Like a lobster shell, security has layers — review code before you run it.

latestvk978afz5z11sskca3q2v068cyh843yxa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnpm
EnvPPSPY_API_KEY
Primary envPPSPY_API_KEY

Comments