ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Backlink Builder

v1.0.0

Link building strategy for Shopify stores. Build a prioritized backlink acquisition plan using guest posting, HARO, digital PR, and competitor link analysis...

0· 65·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (shopify backlink strategy) matches the SKILL.md and the analyze.sh behavior: it builds an SEO prompt and generates a plan. However, the manifest declares no required binaries or env vars while analyze.sh actually invokes the 'openclaw' CLI and python3; that is an inconsistency the author should have declared.
Instruction Scope
SKILL.md instructs the agent to produce backlink audits, outreach templates, and plans only (within scope). The analyze.sh script constructs a detailed prompt and forwards it to 'openclaw agent --local'. The script does not read arbitrary user files or request secrets, but forwarding user-provided store/niche info to an external model or service (via the openclaw CLI) could expose sensitive business data depending on the CLI's network behavior.
Install Mechanism
There is no install spec (instruction-only plus an included script). That minimizes installation risk. The included shell script will be executed by the agent if used, but nothing is downloaded or extracted by the skill itself.
!
Credentials
requires.env and primary credential are empty, which is appropriate given the described purpose. But analyze.sh implicitly requires 'openclaw' on PATH and python3; those runtime dependencies are not declared. Also whether 'openclaw agent --local' communicates off-host (and what credentials it uses) is unknown and relevant to proportionality.
Persistence & Privilege
The skill is not marked always:true and does not request elevated/persistent presence. It only runs when invoked and does not modify other skills or system-wide configurations.
What to consider before installing
This skill appears to do what it claims (generate backlink strategies), but inspect before running: 1) The included script calls 'openclaw agent --local' and python3 even though the manifest lists no required binaries—verify you have those tools and understand their behavior. 2) Determine whether your openclaw CLI will send the prompt and any store-specific input to a remote service (networked model) — if so, avoid sending sensitive business data. 3) Run the script in an isolated environment or sandbox first and review the output. 4) Ask the publisher to update the manifest to list required binaries (openclaw, python3) and to document whether network calls occur. If you need high assurance that data never leaves your machine, do not run this skill until you confirm the openclaw agent operates fully offline.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fmv20zeb8y8ms6hsk05rzwn83frkh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments