Skillv1.0.1

ClawScan security

Ned - Shopify Profit Analytics AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 11, 2026, 9:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (calling meetned.com with a Ned API key) matches its description, but the package metadata omits the required NED_API_KEY/primary credential declarations — an incoherence that should be resolved before trusting the skill.
Guidance: This skill appears to do what it says (query Ned's API for Shopify analytics) but the package metadata incorrectly omits the required NED_API_KEY declaration and primary credential. Before installing or using it: (1) confirm the skill author and official homepage (meetned.com) match the publisher; (2) only provide a Ned API key with the minimum scope needed (prefer read-only or analytics-only keys); (3) verify the key format and rotate it after testing; (4) review Ned's privacy and data-retention policies because order-level profit data will be sent to their API; (5) ask the publisher to update the registry metadata to declare NED_API_KEY as the primary credential so platform governance can surface the secret requirement. Treat the missing metadata as a packaging/oversight issue — not proof of malicious intent — but do not supply sensitive keys until you verify the origin and required key permissions.

Purpose & Capability: okThe name/description describe a Shopify profit analytics integration and the SKILL.md plus scripts call https://api.meetned.com endpoints that return profitability, product, and customer summaries — functionality matches the stated purpose.
Instruction Scope: okRuntime instructions and the bundled script only perform authenticated HTTP GET requests to the Ned API and print JSON. They do not read unrelated system files, access other credentials, or transmit data to unexpected endpoints.
Install Mechanism: okThere is no install spec (instruction-only) and the included script is a simple curl wrapper. Nothing is downloaded or written to disk by an installer step.
Credentials: concernSKILL.md and scripts require a NED_API_KEY (and even show the key prefix 'ned_live_'), but the registry metadata lists no required env vars and no primary credential. The omission is an incoherence: the skill will need a secret at runtime even though none is declared. This could be a benign packaging mistake, but it should be corrected and the key's required scope (read-only vs. write) clarified.
Persistence & Privilege: okThe skill does not request persistent installation, does not set always:true, and does not modify other skills or system configuration. Autonomous invocation is enabled (default) but that's expected.