ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Google Ads

v1.0.0

Build and optimize Google Ads and Shopping campaigns for Shopify stores to drive qualified traffic and sales. Triggers: google ads, shopping campaigns, googl...

0· 51·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description align with the provided files: the script builds a prompt asking for a full Google Ads strategy. However, the included analyze.sh invokes a local 'openclaw' CLI binary (openclaw agent --local ...), which is not listed in required binaries or install instructions. That is an undocumented runtime dependency the maintainer should have declared.
!
Instruction Scope
SKILL.md and analyze.sh instruct the agent to produce specific numeric outputs (top 20 keywords with estimated CPC and volume, specific ROAS and CPC ranges). There is no code, install step, or declared environment variables to connect to Google Ads, Keyword Planner, or any data source — so the skill will rely entirely on the model to fabricate or approximate those numbers. That mismatch can mislead users expecting data-driven estimates.
Install Mechanism
There is no install spec (instruction-only), which is low risk. The script, however, executes an external CLI ('openclaw agent') and will fail if that binary is not present. No downloads or archive extraction are performed.
Credentials
The skill requests no environment variables, credentials, or access to config paths. The behavior in the code does not attempt to read secrets or other system files.
Persistence & Privilege
The skill is not declared always:true and does not request elevated or persistent system presence. It does not modify other skills or global agent configuration.
What to consider before installing
This skill appears to be an instruction-only tool that prompts a local OpenClaw agent to write an ad strategy. Before installing or running it: 1) verify you have the 'openclaw' CLI available (the manifest does not declare this dependency); 2) understand that CPC, search volume, and ROAS figures will be model-generated estimates unless you provide explicit integrations/API keys — the skill does not include any Google Ads or Keyword Planner integration; 3) if you need real traffic or cost data, prefer a version that connects to Google APIs (and then only supply the minimal, purpose-specific credentials); 4) run the script in a safe environment first to confirm behavior, and avoid passing any sensitive store credentials or customer data into the prompt. If the maintainer can document the 'openclaw' dependency and clarify whether/how external data sources are used, that would reduce the remaining concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk97af9ysm9pdb87aydezcy0ynn83n3ww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments