ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Logistics Optimizer

v1.0.0

Optimize shipping and logistics operations for Shopify stores to reduce costs, improve delivery times, and delight customers. Triggers: logistics optimizer,...

0· 57·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and analyze.sh both describe generating a logistics optimization report — that's coherent. However, analyze.sh invokes an external binary named 'openclaw' (openclaw agent --local ...) even though the skill declares no required binaries or environment variables. Requiring a platform CLI without declaring it is an inconsistency: the skill implicitly depends on a local agent binary.
Instruction Scope
The instructions and the script stay within the stated purpose (they build an LLM prompt and request a report). They do not read arbitrary files or request credentials. The notable behavior is that the script asks the environment to run the 'openclaw' CLI locally to produce the report, which effectively chains/recurses into the local agent — this may change execution context and any permissions the local 'openclaw' process has.
Install Mechanism
No install/spec is provided (instruction-only), so nothing will be written to disk beyond the included file. This is low-risk from an install perspective.
Credentials
The skill declares no required environment variables or credentials and the script does not reference secrets. However, because it invokes a local 'openclaw' binary, the actual runtime may rely on the local agent's configuration (which could have credentials or network access). The skill does not document or justify that dependency.
Persistence & Privilege
always is false, the skill makes no changes to system or other skills, and there is no attempt to persist configuration or escalate privileges.
What to consider before installing
This skill's logic and prompt are coherent for generating a Shopify logistics report, but review the following before installing or running: 1) The included script calls a local 'openclaw' CLI (openclaw agent --local). Confirm you trust that binary, understand what credentials or network access it has, and that it is present in the runtime environment. 2) If you don't want the skill to re-invoke a local agent, open analyze.sh and remove or replace the 'openclaw' call (the rest of the prompt can be used directly with whatever LLM you trust). 3) Run the script in an isolated environment (or inspect the repository README) to verify any implicit dependencies and to ensure no secrets are passed to the local agent. If you want, provide the repository README or the system PATH/setup details and I can re-assess with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk973j1mmqbdb1kmdy9rtt6vq2h83n6kd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments