ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Landing Page Builder

v1.0.0

Design high-converting landing pages for Shopify stores with optimized layouts, copy frameworks, and CRO best practices. Triggers: landing page builder, high...

0· 57·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and analyze.sh both describe producing landing-page strategy and copy frameworks, which is coherent with the skill name/description. However, the included analyze.sh invokes a local 'openclaw agent' binary to process the prompt; the skill metadata lists no required binaries. The need for a local agent binary is plausible but should have been declared.
Instruction Scope
The runtime instructions and script are narrowly focused on producing CRO deliverables and do not directly read user files or request credentials. But the script executes 'openclaw agent --local ...' — that local agent process may itself attach additional context, system data, or credentials depending on the user's agent installation and configuration. The SKILL.md does not warn about that or constrain what the local agent may include in its context.
Install Mechanism
There is no install spec (instruction-only skill with one helper script). Nothing is downloaded or written to disk by an installer step beyond the existing files in the skill bundle.
Credentials
The skill declares no required environment variables or credentials, which matches the high-level purpose. However, the script's invocation of the 'openclaw agent' binary is an implicit dependency; that binary may rely on the user's global configuration or stored credentials (not declared here). The skill does not document or limit what the invoked agent will access.
Persistence & Privilege
The skill is not marked 'always' and is user-invocable only by default. It does not request persistent system-wide changes or modify other skills' configs.
What to consider before installing
This skill appears to do what it says (generate landing-page strategy and copy), but exercise caution: the included analyze.sh runs 'openclaw agent --local --message ...' even though the skill metadata does not declare that binary as required. Before running or installing, verify what the local 'openclaw agent' CLI does on your system (does it send data to a remote service, include local files, or use stored credentials?). If you don't want a local agent run, open and review analyze.sh and either remove or modify the call to the agent or run the logic in a sandbox. Also confirm the GitHub source and inspect any further scripts or instructions there. If you plan to use the script with private store URLs or sensitive product info, be aware that those inputs will be passed verbatim to the invoked agent process and could be exposed depending on that agent's behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dc91d4vnc23rbxrqa5pvf8s83nmjb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments