ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Fulfillment Strategy

v1.0.0

Choose and optimize between 3PL, in-house, and hybrid fulfillment models for Shopify stores based on volume, cost, and growth stage. Triggers: fulfillment st...

0· 50·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name, description, SKILL.md, and analyze.sh all focus on Shopify fulfillment strategy and are internally consistent. However, the analyze.sh script invokes a local 'openclaw' CLI (openclaw agent ...) even though the skill declares no required binaries. That undeclared dependency is an inconsistency: a runtime component is required but not documented in the metadata.
Instruction Scope
The SKILL.md and the script stay within the stated scope (generate a fulfillment strategy from user-supplied input). The script only uses the provided INPUT and constructs a prompt. It does, however, pass that prompt to a local agent process (openclaw agent --local --message ...) which may cause the agent to read local config or make network requests depending on the local agent's behavior — the skill's instructions do not document that side effect.
Install Mechanism
There is no install spec (instruction-only + a helper script). Nothing is downloaded or written to disk by an installer. This is the lower-risk pattern, aside from the script's invocation of a local CLI.
Credentials
The skill does not request environment variables, credentials, or config paths. The script does not attempt to read environment secrets. That is proportionate for a strategy/report generator. Users should avoid providing sensitive credentials as the INPUT parameter.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does invoke a local agent process when run; autonomous invocation is allowed by platform defaults but is not specially elevated here.
What to consider before installing
This skill appears to do what it says (produce a Shopify fulfillment strategy), but the included analyze.sh calls a local 'openclaw agent' binary that is not declared in the skill metadata. Before installing or running: 1) Verify you have (and trust) the openclaw CLI on the host — the script will execute it and that local agent could read local configs or make network calls depending on its implementation. 2) Do not pass store credentials, API keys, or other secrets as the INPUT argument; the script embeds INPUT into a prompt sent to the agent. 3) Inspect the repository/homepage (https://github.com/mguozhen/shopify-fulfillment-strategy) to confirm origin and review any additional code. 4) If you plan to run the script, run it in an isolated environment or sandbox first. If the publisher can clarify why the openclaw binary is not declared, that would reduce the remaining concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ecppsf2g34f276bc35c571583nx60

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments