Shopify Email Segmentation
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to generate Shopify email-marketing strategy content and does not show credential access, data exfiltration, or destructive behavior.
This looks safe for generating strategy content, but be aware that it uses a local Bash script rather than being purely instructional. Review the script if you are concerned about local command execution, and do not paste sensitive customer data unless you are comfortable with how your local OpenClaw setup handles prompts.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking the skill may run a local command to generate the email segmentation strategy.
The skill uses a Bash wrapper to invoke a local OpenClaw agent command. The command is fixed and purpose-aligned with generating the marketing report, but it is still local command execution.
RESULT=$(openclaw agent --local --session-id "$SESSION_ID" --json -m "$PROMPT" 2>/dev/null)
Use it only in an environment where running local OpenClaw commands is expected, and consider documenting this runtime behavior clearly.
The skill may fail or behave differently if the expected local tools are not available.
The script depends on python3, while the registry requirements declare no required binaries and there is no install spec. This is an under-declared dependency rather than evidence of malicious behavior.
REPORT=$(echo "$RESULT" | python3 -c "
The publisher should declare runtime dependencies such as python3 and the OpenClaw CLI, or document that the script expects them.