ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Headless Commerce

v1.0.0

Evaluate and plan a headless commerce strategy for Shopify stores to achieve custom frontend experiences and performance gains. Triggers: headless commerce,...

0· 54·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (evaluate and plan Shopify headless strategies) is consistent with the content of SKILL.md and the included analyze.sh which generates a strategy report. However, the script relies on running an 'openclaw' agent binary (openclaw agent --local ...) even though no required binaries were declared in the skill metadata. That mismatch is unexpected and should have been declared.
Instruction Scope
SKILL.md instructions and the script's prompt stay within the stated purpose: generating a headless commerce strategy based on user input. The script does not read files, environment variables, or external URLs, nor does it embed hidden endpoints or obvious exfiltration paths.
Install Mechanism
There is no install spec and no network downloads; the skill is instruction-only with a small helper script. That keeps installation risk low. The only install-like requirement is the expectation that an 'openclaw' binary is available on the host, but this was not declared as a required binary.
!
Credentials
The skill declares no required environment variables or credentials, which fits its purpose. However, analyze.sh invokes a local agent binary (openclaw) that may have access to other agent context or credentials at runtime; the skill metadata does not mention this dependency. The missing declaration of required binaries is an inconsistency and increases the chance of unexpected privilege/access at execution time.
Persistence & Privilege
The skill is not marked always:true and does not request persistent presence or modify other skills or system configuration. It merely runs a local agent process and then exits, which is a limited privilege surface.
What to consider before installing
This skill appears to do what it says (produce a headless commerce strategy), but the provided analyze.sh invokes a local 'openclaw' agent binary that the skill metadata does not declare as required. Before installing or running: 1) Verify the provenance of this skill and the openclaw binary it expects (where does 'openclaw' come from?). 2) Inspect and, if possible, run analyze.sh in a safe sandbox to observe behavior. 3) Ensure the local 'openclaw' binary is the official/expected binary and does not have access to secrets you don't intend to share with the skill. 4) Prefer that the skill manifest explicitly list 'openclaw' (or the required binary) as a dependency or update SKILL.md to avoid hidden runtime requirements. If you cannot confirm the source of the openclaw binary, avoid running the script on systems that contain sensitive credentials or production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edk4w646tr89xnf2yeyvyah83nb14

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments