Ned - Shopify Profit Analytics AI
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Ned analytics integration, but it uses a Ned API key to access detailed store and customer metrics.
Install only if you intend the agent to query your Ned/Shopify analytics. Verify the publisher, provide a revocable or least-privileged NED_API_KEY if possible, use documented endpoints, and be careful with customer-level outputs in shared or persistent chats.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill with the API key can query the store analytics that the key permits.
The skill relies on a bearer API key to access the merchant's Ned account data. This is expected for the integration, but it is credentialed account access and the registry metadata does not declare a primary credential.
Requires a NED_API_KEY... Auth: `Authorization: Bearer $NED_API_KEY`
Only provide the key if you trust the skill and publisher; use the least-privileged or revocable Ned key available, and revoke it when no longer needed.
Customer segments, churn risk, revenue, and profit details may appear in chat outputs or downstream summaries.
The skill intentionally brings detailed customer and profitability data into the agent conversation. No artifact shows persistent storage, but the retrieved context itself can be sensitive.
Returns: customers grouped by profit_tier with full detail (orders, revenue, profit, margin, activity, churn_risk).
Ask only for the data needed, avoid sharing outputs in public or persistent contexts, and confirm before exposing customer-level details.
A mistaken or overly broad endpoint choice could query unintended Ned account data or consume API credits.
The helper sends an agent/user-chosen endpoint and period to the fixed Ned API host using the bearer token. Quoting and the fixed host reduce shell/host abuse, but the script is a generic API wrapper rather than an allowlisted command.
ENDPOINT="${1:?Usage: ned-query.sh <endpoint> [period]}" ... URL="https://api.meetned.com/api/v1/${ENDPOINT}?period=${PERIOD}" ... curl ... "Authorization: Bearer $NED_API_KEY" "$URL"Use the documented read-only endpoints unless the user explicitly requests otherwise, and consider adding endpoint allowlisting if distributing this skill broadly.
Users may have less assurance that the skill package is published by the expected Ned provider.
The registry metadata does not establish an official source or homepage for the skill. This is a provenance gap, especially because the skill asks for a service API key.
Source: unknown; Homepage: none
Verify the publisher through Ned/meetned.com or another trusted channel before providing a live API key.