Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shopify Launch Strategy
v1.0.0Build a new product launch playbook for Shopify stores with pre-launch hype, launch day tactics, and post-launch momentum. Triggers: product launch strategy,...
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Shopify launch playbook) matches the skill files: SKILL.md describes the deliverables and analyze.sh builds a prompt to produce that content. However, analyze.sh invokes an 'openclaw' CLI to generate the output even though the manifest lists no required binaries. Requiring a local agent binary to produce the content is plausible but the binary is not declared, which is an incoherence (missing declared dependency).
Instruction Scope
SKILL.md and analyze.sh stay within the stated purpose: they construct a detailed prompt for a product launch playbook and do not read or send any local files, environment variables, or unrelated system data. The only runtime action beyond local shell work is calling the 'openclaw' CLI with the prompt, which is consistent with generating model output but may forward the prompt externally depending on that CLI's behavior.
Install Mechanism
There is no install spec and no downloads — this is an instruction-only skill with a single helper script. That's low-risk from an installation perspective. The script will be written to disk when the skill is installed (it already exists in the bundle) but nothing in the manifest will automatically fetch remote code.
Credentials
The skill declares no required environment variables or credentials and the script does not reference env vars or config paths. That aligns with a content-generation playbook. Note: the allowed-tools is Bash, which permits arbitrary shell commands if the agent runs the script, so the runtime environment in which you execute analyze.sh matters.
Persistence & Privilege
The skill is not set to always:true and does not request elevated or persistent system presence. Model invocation is enabled (default), which is normal for skills. There is no evidence the skill modifies other skills or system-wide agent settings.
What to consider before installing
This skill appears coherent for generating a Shopify launch playbook, but exercise caution before running the included script. The analyze.sh script invokes an 'openclaw' CLI that is not declared in the manifest — confirm whether that binary exists on your system, where it came from, and what network activity it performs. Inspect the openclaw CLI (or run the script in an isolated/sandbox environment) to ensure prompts are not sent to an unexpected remote endpoint. If you don't want the skill to call a local agent automatically, you can copy the prompt from analyze.sh and run it manually against a model you trust or have verified. If you plan to install/run this skill in production, check the linked GitHub repo for provenance and any additional documentation or release artifacts that explain the openclaw dependency.Like a lobster shell, security has layers — review code before you run it.
latestvk971q45kh0bqqcszwxx3h93k1n83n6a5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.