ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Localization

v1.0.0

Localize a Shopify store for international markets with translated content, local payment methods, and culturally adapted marketing. Triggers: store localiza...

0· 57·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and analyze.sh both implement a Shopify localization playbook and produce the expected outputs (translation workflow, payment methods, SEO, etc.). However the package metadata declares no required binaries while analyze.sh calls the 'openclaw agent' CLI — the skill implicitly requires that binary but does not declare it. This mismatch is likely an oversight but is an incoherence the user should be aware of.
Instruction Scope
The runtime script only constructs a localization prompt and invokes a local 'openclaw agent' process; it does not read arbitrary local files or request unrelated system paths or credentials. That scope is consistent with the declared purpose. The main scope concern is that invoking a local agent hands control to another program (and possibly to networked model APIs), which could in turn access connectors or other skills — the SKILL.md does not document that behavior.
Install Mechanism
There is no install spec and only a small shell script is included. No archives are downloaded and nothing is written to disk by an installer step; this is low-risk from an install-mechanism perspective.
Credentials
The skill declares no environment variables or credentials. However, analyze.sh calls 'openclaw agent --local', which will run whatever local OpenClaw client is installed; that client may read model/API keys or connector credentials from your environment or agent config. The skill does not declare or warn about this implicit dependency on the user's model/API configuration.
Persistence & Privilege
The skill does not request persistent installation or elevated privileges. Flags show always:false and default autonomy settings; there is no evidence the skill modifies other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it claims (generate a Shopify localization strategy), but before running it: 1) Verify you have a trusted 'openclaw agent' CLI installed — the script calls it but the skill metadata fails to declare that dependency. 2) Understand that running analyze.sh launches your local agent which may read model/API keys or connectors from your environment (e.g., OPENAI_API_KEY or other agent config) — run in an environment you control. 3) Inspect the openclaw agent binary you will invoke (is it the official client and from a trusted source?). 4) If you are uncomfortable, run the shell script in an isolated/test environment or copy the prompt from the script and run it manually against a controlled model instance. 5) If you plan to allow autonomous invocation, be aware that this skill hands off work to another agent process which could further call external services; ensure you trust that local agent configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zbbm4nym9kq36zcc595nr183mcvb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments