Back to skill
Skillv1.0.0
ClawScan security
SEO Product Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 12, 2026, 9:26 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested access and runtime instructions are consistent with an auditor/uploader for Shopify and WooCommerce: it expects store API credentials (kept in memory) and uses them to read and optionally write product SEO fields; nothing in the package requests unrelated secrets or installs arbitrary code.
- Guidance
- This skill appears coherent for auditing and fixing Shopify/WooCommerce product SEO. Before installing or using it: 1) Only provide API credentials from a custom app with the minimum scopes required (prefer read_products for audits; add write_products only if you will push fixes). 2) Confirm that you control the token and store handle; revoke or rotate tokens when no longer needed. 3) Test on a small subset or a staging store first to verify it behaves as expected. 4) Note that audit state and exports may be stored in the agent workspace/memory (seo_audit_config and a CSV path); if workspace confidentiality matters, review where those files are written and whether memory persists. 5) The SKILL.md claims it will ask for explicit confirmation before any writes — still review proposed changes carefully before approving bulk updates. If you want extra safety, skip granting write scope and run audits only, or require manual application of suggested fixes through your Shopify admin.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions. The SKILL.md describes fetching products, reading/writing SEO fields and metafields, scoring by 10 criteria, and optionally pushing fixes; the credential types it asks for (Shopify access token, WooCommerce consumer key/secret) are exactly what such a skill needs. There are no unrelated requested credentials or binaries.
- Instruction Scope
- noteInstructions are detailed and stay within the stated domain: API calls to Shopify/WooCommerce, per-product metafield fetches, HTML stripping rules, scoring logic, and explicit user confirmation before making writes. Minor scope notes: examples show writing an export to ~/.openclaw/workspace (local disk) and the skill instructs storing credentials in agent memory under seo_audit_config — users should be aware these actions persist data locally/in-memory. Otherwise the workflow does not ask to read unrelated system files or external endpoints beyond the e-commerce APIs.
- Install Mechanism
- okInstruction-only skill with no install spec or external downloads. No code files executed at install time and no network-installs specified — lowest install risk.
- Credentials
- okThe only sensitive items referenced are Shopify/WooCommerce API credentials (shpat_/ck_/cs_), and the SKILL.md documents appropriate API scopes (read_products, write_products, write_metafields if needed). The skill does not request unrelated environment variables or system credentials. It reuses credentials from companion skills if present; this is proportionate but worth noting as a convenience that shares tokens across skills.
- Persistence & Privilege
- noteThe skill stores settings and audit state in memory under seo_audit_config and may write CSV exports to a workspace path. It also needs write-scoped API access to push fixes. Autonomous invocation is allowed by default (platform standard) and the skill claims it will not push updates without explicit confirmation. Users should verify the trustworthiness of stored tokens and be aware that granting write scopes allows the skill to modify store content when they approve actions.