ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

shopify product

v1.0.1

Search Shopify products and analyze winning items with PPSPY. Filter products by price, category, sales, and revenue, and inspect bestselling products by store.

0· 45·0 current·0 all-time
by@fanyanggod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Shopify product research via PPSPY) matches the declared requirement (PPSPY_API_KEY) and the listed tools. Requesting npm to install a PPSPY connector is coherent with the stated purpose.
Instruction Scope
SKILL.md's runtime instructions are narrowly scoped to installing/running ppspy-mcp-server and using the PPSPY API key; it does not instruct reading unrelated files or env vars. However, there is an internal inconsistency: the package-install step and mcpServers block are embedded in SKILL.md even though the registry metadata listed 'No install spec' — the skill does instruct the agent to perform installation and run a local server process.
!
Install Mechanism
The skill directs a global npm install: 'npm install -g ppspy-mcp-server@1.0.1' and will run that binary as an MCP server. Npm packages can execute arbitrary code during install/run and the package/publisher provenance is not provided. This is a moderate-to-high risk compared with instruction-only skills or installs from well-known, verifiable release sources.
Credentials
Only PPSPY_API_KEY is required and is appropriately listed as the primary credential. That credential is proportional to the skill's stated function.
Persistence & Privilege
always: false (no forced inclusion), but the skill will install and run a local MCP server process which persists on the host while running. The skill can be invoked autonomously by agents (default), which combined with running a third-party server increases potential blast radius if the package is malicious.
What to consider before installing
This skill appears to do what it says, but it requires globally installing and running an npm package (ppspy-mcp-server) from the npm registry. Before installing: 1) Verify the npm package and its maintainer (npmjs.com/package/ppspy-mcp-server or its source repo), review its code or changelog for suspicious behavior; 2) Prefer installing in an isolated environment or container rather than globally; 3) Limit the PPSPY_API_KEY permissions if possible, and rotate the key after testing; 4) Monitor network activity and billing/usage from your PPSPY account during initial use; 5) If you cannot verify the package source, treat this as higher risk and avoid installing it on sensitive machines.

Like a lobster shell, security has layers — review code before you run it.

latestvk972kv1j5e6n544ac73ex78tg5842ceg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnpm
EnvPPSPY_API_KEY
Primary envPPSPY_API_KEY

Comments