ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Crowdfunding

v1.0.0

Plan and run a crowdfunding campaign on Kickstarter or Indiegogo to validate and fund new Shopify products before launch. Triggers: crowdfunding strategy, ki...

0· 50·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is a planner for crowdfunding campaigns and does not require external credentials or special system access. However, the shipped script (analyze.sh) invokes an 'openclaw agent' executable to generate the plan. The required-binaries section declares no binaries, so the script's dependency on the 'openclaw' CLI is not declared — this mismatch is disproportionate to the stated purpose and could hide additional behavior.
Instruction Scope
SKILL.md itself contains only planning instructions and examples and does not ask for secrets or to read arbitrary files. The analyze.sh script builds a large prompt and runs 'openclaw agent --local --message ... --session ...' which will pass the user input to that CLI; that action is outside what SKILL.md explicitly documents and gives the skill runtime broad discretion depending on what the 'openclaw' binary does.
Install Mechanism
There is no install spec and no downloaded artifacts; the skill is instruction-only plus a small script. This minimizes disk-level install risk. The remaining risk comes from runtime invocation of an external CLI, not from an installer.
Credentials
No environment variables, credentials, or config paths are requested. The skill's functionality (campaign planning) doesn't justify secret access, and none is requested — this aspect is proportionate.
Persistence & Privilege
The skill is not marked always:true and makes no changes to other skills or system configuration. It does execute a local CLI at runtime but does not request elevated persistence or cross-skill modification.
What to consider before installing
This skill appears to be a straightforward crowdfunding planner, but the provided analyze.sh script runs an external 'openclaw agent' CLI that the package does not declare as a required binary. Before installing or running it: 1) Inspect the openclaw binary on your system (where it comes from, its version, and what network access it has). 2) Confirm the repo/homepage code for any other scripts or readme describing that CLI. 3) If you don't trust the local 'openclaw' binary, do not run analyze.sh; instead run the prompt text locally in a trusted environment or ask the skill author to remove the external CLI dependency or declare it explicitly. 4) Run the script in a sandbox or offline environment to verify it doesn't transmit sensitive data. If the author can confirm and document that 'openclaw agent --local' runs purely locally and does not phone home, the main concern would be resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b2erh51eznqpgby2axqd8tx83n2cb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments