ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Influencer Evaluator

v1.0.0

KOL and influencer evaluation for Shopify brands. Score influencer fit, estimate ROI, generate outreach templates, and build a tiered influencer marketing st...

0· 74·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the behavior: building influencer strategy and templates. However, the included analyze.sh invokes the local 'openclaw' agent CLI and python3; the registry metadata declares no required binaries. Declaring openclaw and python3 (or removing the dependency) would make the capability claims coherent.
Instruction Scope
SKILL.md and the script stay within the influencer-evaluation scope (generate tiers, scoring, ROI, outreach). The script sends the full user input as part of a prompt to an agent process; it does not read system files or extra env vars. Caveat: embedding raw user inputs into a prompt passed to a local CLI/agent may leak sensitive inputs to whatever models/endpoints that CLI uses.
Install Mechanism
There is no install spec (instruction-only with one helper script), which minimizes install-time risk. The only code is analyze.sh; nothing is downloaded or extracted from external URLs.
Credentials
The skill requests no credentials or env vars, which fits the described purpose. But it implicitly requires the 'openclaw' CLI and python3 at runtime (used by analyze.sh) — these are not declared. The openclaw CLI may use networked LLMs and associated credentials/telemetry outside the skill's control.
Persistence & Privilege
always is false and the script does not modify system configs or other skills. It runs a local agent process and prints output; it does not persist credentials or change agent settings.
What to consider before installing
This skill appears to implement the influencer-evaluation functionality it claims, but review the included analyze.sh before installing. It calls the local 'openclaw' agent CLI and runs python3, yet the metadata lists no required binaries — ensure you have (and trust) the openclaw CLI on the host and that it will not send sensitive data to remote endpoints. If you plan to use it with private store/customer data, avoid passing secrets into the prompt. Consider asking the author to (1) declare required binaries (openclaw, python3), (2) clarify where the openclaw CLI sends prompts (local-only vs remote model), and (3) remove or sandbox the script if you need to prevent network egress. If you cannot verify the openclaw CLI behavior, run the script in a restricted environment or skip installing the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edpa5gz7x05tg72d4g2pc9h83ceyp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments