ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Margin Optimizer

v1.0.0

Optimize profit margins for Shopify stores by analyzing COGS, operating costs, and revenue levers to improve profitability. Triggers: margin optimizer, profi...

0· 49·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Shopify margin optimizer) matches the included instructions and script: both produce a generic profitability report from user-provided input. However, the skill does not request Shopify API keys or any store credentials, so it can only generate high-level, hypothetical or user-supplied-data analyses rather than pulling real store P&L data. This is reasonable but should be understood by the user.
Instruction Scope
SKILL.md and analyze.sh keep scope narrow: they build a prompt describing the required P&L analysis and invoke a local agent. The script does not read system files, environment variables, or remote endpoints, nor does it attempt to fetch Shopify data. The main runtime action is calling 'openclaw agent --local' with the composed prompt and session id.
Install Mechanism
No install spec or external downloads are present (instruction-only plus a small shell script). Nothing will be written to disk beyond the included files unless the agent binary itself does so. This is low-risk from an install perspective.
Credentials
The skill declares no required environment variables, credentials, or config paths, which is proportionate given it does not integrate with Shopify APIs. There are no requests for unrelated secrets.
Persistence & Privilege
'always' is false and there is no persistent installation behavior or cross-skill configuration. The skill runs on demand and does not request elevated privileges.
Assessment
This skill appears to be a straightforward, self-contained helper that constructs a detailed prompt and sends it to a local 'openclaw' agent for generation. Before installing or running it: (1) Understand it will not access your Shopify store automatically — provide any financial/store data manually if you want store-specific recommendations. (2) The script calls a local 'openclaw' CLI; ensure you trust that binary and know where it runs/where data goes, because whatever you paste as input will be included in the prompt (do not include secrets, API keys, or passwords). (3) If you expect automated access to Shopify or CSV imports, request/verify explicit support for Shopify API credentials; currently none are requested. (4) If you want higher assurance, inspect the 'openclaw' binary behavior or run the script in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk976hhgxv6k9hb9fym509wrxzh83nfvq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments