Back to skill
Skillv1.0.0
ClawScan security
Shopify Company · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 11:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only informational skill (a static company profile of Shopify) that requests no credentials, installs nothing, and contains no runtime commands — its behavior is coherent with its stated purpose.
- Guidance
- This skill is low-risk from a security perspective because it is instruction-only and asks for no credentials or installs nothing. The main thing to consider is content accuracy: the SKILL.md asserts many financial figures and counts without sourcing and is truncated at the end, so verify any numbers or strategic conclusions before using them for decisions. If you want stronger guarantees, ask the skill author to add citations or links to primary sources (SEC filings, Shopify reports, or reputable financial coverage) before relying on the data.
Review Dimensions
- Purpose & Capability
- okName/description (Shopify company profile) match the contents of SKILL.md: a long-form company history, business model, financials, and competitive analysis. The skill declares no binaries, no env vars, and no install steps, which is proportionate for a read-only informational skill.
- Instruction Scope
- noteSKILL.md is a static, self-contained profile and does not instruct the agent to read files, access environment variables, run commands, or contact external endpoints. Note: the content contains factual claims and numeric data but provides no citations; accuracy or staleness of financial/metric claims is a content risk (not a security/incoherence issue).
- Install Mechanism
- okNo install specification or code files are present (instruction-only). This minimizes on-disk execution risk and is consistent with the skill's purpose.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. There is no disproportionate access requested relative to the stated research/profile function.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. Model invocation is not disabled (the platform default) but combined with the skill's lack of permissions/install actions this does not create additional concern.