Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shopify Content Marketing
v1.0.0Build a content marketing and SEO blog strategy for Shopify stores to drive organic traffic, build authority, and convert readers to buyers. Triggers: conten...
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be an instruction-only content-marketing helper, which is coherent with the SKILL.md and the analyze.sh purpose. However, analyze.sh calls the 'openclaw' CLI binary (openclaw agent --local ...), yet the skill metadata lists no required binaries. Requiring the OpenClaw CLI is plausible for delivering the generated strategy, but it is not declared — this is an incoherence.
Instruction Scope
SKILL.md stays on-topic (producing content strategy). The analyze.sh script builds a detailed prompt and invokes 'openclaw agent --local --message ...' with the prompt and a generated session ID. That runtime behavior (calling a local OpenClaw agent binary) is broader than the SKILL.md's plain-text instructions implied: it triggers an external agent run and could result in recursive agent activity or network calls depending on the local CLI configuration.
Install Mechanism
There is no install spec (instruction-only), which is low risk. But because analyze.sh depends on an external CLI (openclaw), the absence of a declared required-binary or install instruction is an omission; the script will fail or behave unexpectedly if the CLI is missing or configured differently.
Credentials
The skill declares no required environment variables or credentials, which matches the content-marketing purpose. However, the 'openclaw agent' invocation may rely on the local OpenClaw CLI configuration (which could contain credentials or endpoints) implicitly. That implicit dependency is not declared and therefore worth noting.
Persistence & Privilege
The skill does not request always: true and has no install-time persistence. It is user-invocable and does not request elevated privileges or access to other skills' configs in the manifest.
What to consider before installing
This skill appears to do what it says (generate Shopify content/SEO strategies), but the bundled analyze.sh calls the 'openclaw' CLI tool even though the skill metadata doesn't declare that requirement. Before installing or running: 1) Verify you have the openclaw CLI installed and understand what it will do locally (does it call remote services, send telemetry, or read local config?). 2) Inspect the repository origin (the GitHub homepage) and confirm trust in the maintainer. 3) Run the script in a safe environment (isolated VM or container) to observe network activity and CLI behavior. 4) Avoid passing any sensitive store credentials or secrets as the INPUT to the script, since the script sends the prompt to the OpenClaw agent which may use local config or networked backends. If you plan to use this skill in production, request that the author declare the openclaw binary requirement (or provide a pure-instruction implementation) and explain what the local agent invocation does.Like a lobster shell, security has layers — review code before you run it.
latestvk97e61dwx5tjffqn7n1r8x2wyh83m5gb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.