Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shopify Dropshipping Finder
v1.0.0Dropshipping product research and supplier evaluation for Shopify stores. Analyze product viability, find reliable suppliers, estimate margins, and build a w...
⭐ 0· 78·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to perform dropshipping research and indeed constructs a research prompt and prints a report, which is coherent. However, the included analyze.sh requires the local 'openclaw' agent CLI and python3 at runtime, but the skill declares no required binaries. That mismatch (undeclared dependencies) is a coherence problem — a user installing this skill may not realize it will invoke a local agent binary.
Instruction Scope
The SKILL.md and analyze.sh stay within the stated purpose: building a product research prompt, calling a local agent to generate analysis, and printing the result. The script does not read arbitrary system files or request environment variables. However, it invokes 'openclaw agent --local', which may cause the local agent to send the prompt (and therefore any user-provided input) to configured model backends or plugins; that forwarding behavior is not documented in the skill and is an implicit side-effect users should be aware of.
Install Mechanism
There is no install spec — the skill is instruction-only with one shell script. No remote downloads or archive extraction are present. That minimizes installation risk, but runtime dependency execution still occurs when analyze.sh runs.
Credentials
The skill declares no required environment variables or credentials and the script does not reference any ENV vars. This is proportionate to the stated purpose. Note: the local 'openclaw' agent invoked by the script may itself read or use environment variables from the host environment depending on its configuration.
Persistence & Privilege
The skill is not force-installed (always:false) and is user-invocable. It does invoke the local agent CLI ('openclaw agent --local'), enabling nested/recursive agent activity at runtime — this increases blast radius if the local agent is configured with network access or plugins, but the skill itself does not request persistent privileges or modify other skills.
What to consider before installing
This skill is mostly coherent with its stated purpose, but take these precautions before installing or running it:
- Inspect and confirm you have the required runtime tools: the script calls 'openclaw' and 'python3' but the skill lists no required binaries. If you don't want the skill to run the local OpenClaw agent, do not run analyze.sh.
- Understand what your local OpenClaw agent does: 'openclaw agent --local' may forward prompts to remote model endpoints, plugins, or other skills. Check your agent's configuration and network permissions so you know where your prompts and any example data will be sent.
- Run in a sandboxed environment first (or with network disabled) to observe behavior and ensure no unexpected network calls are made.
- If you plan to use it regularly, consider adding explicit dependencies to the skill metadata (openclaw, python3) or editing the script to fail with a clear error if those binaries are missing.
- If you have sensitive data or secrets on the machine, don't pass them to this skill and verify the local agent cannot access them or environment variables you care about.
Given the undeclared runtime dependencies and implicit local-agent forwarding behavior, proceed cautiously and verify the environment the skill will run in.Like a lobster shell, security has layers — review code before you run it.
latestvk9704jhmtkbpmy01gmdc90gj9x83fgvv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.