ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Ai Product Description

v1.0.0

Generate SEO-optimized, high-converting AI product descriptions for any Shopify store niche with proven copy frameworks. Triggers: product description genera...

0· 56·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description match its behavior: it builds a prompt and asks an agent to generate product descriptions. However, the shipped script invokes the 'openclaw' CLI but the skill metadata does not declare that binary as a required dependency — that's a mismatch that should be declared or fixed.
Instruction Scope
SKILL.md and analyze.sh limit actions to building a prompt from provided product text and calling a local agent. The instructions do not read files or request unrelated credentials. One caveat: the script forwards the product input to 'openclaw agent', and the security properties depend on what that agent/CLI does (local only vs. forwarding to a remote endpoint).
Install Mechanism
No install spec and only a small shell script are included, so nothing arbitrary is downloaded or written to disk by the skill itself.
Credentials
The skill does not request environment variables, credentials, or config paths — this is proportional to its stated purpose.
Persistence & Privilege
The skill is not always-on and does not request elevated persistence. It only invokes a local agent process when run and does not attempt to modify other skills or system-wide configs.
Assessment
This skill is mainly a prompt wrapper and looks internally consistent, but check two things before installing or running it: (1) the analyze.sh script calls the 'openclaw' CLI — ensure that you have that binary installed from a trusted source and that the skill metadata is updated to declare it as a required binary; (2) confirm how your 'openclaw agent' CLI is configured (local-only vs. remote API) because analyze.sh will send whatever product data you provide to that agent. If you will pass sensitive product or customer data, verify the agent does not forward it to an external service you don't control. Otherwise this skill appears coherent and limited in scope.

Like a lobster shell, security has layers — review code before you run it.

latestvk971grn6mrmgpvbj7srevdmdj183nea5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments