Shopify Niche Finder
v1.0.0Identify profitable product niches for Shopify stores using market demand data, competition analysis, and profitability assessment. Triggers: niche finder, f...
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the behavior: the included analyze.sh builds a prompt and asks a local OpenClaw agent to generate a niche research report. However, the script implicitly requires the 'openclaw' CLI binary to exist at runtime but the skill metadata does not declare any required binaries. This is a minor incoherence (missing declared dependency) but not evidence of malicious intent.
Instruction Scope
SKILL.md and analyze.sh keep scope to niche research: scoring, market research sources to consult, and validation steps. The runtime script only forwards the user input in a prompt to the local OpenClaw agent; it does not read unrelated files, access system paths, or contact external endpoints directly from the script. Note: the prompt references external services/tools (Google Trends, Amazon, TikTok) as research sources but the script itself does not attempt to automatically fetch data from them.
Install Mechanism
There is no install spec (instruction-only) and no downloads or archive extraction. The only executable behavior is the included analyze.sh which invokes a local CLI; nothing in the skill writes additional files or installs dependencies.
Credentials
The skill declares no required environment variables or credentials, which aligns with its stated purpose. However, analyze.sh invokes 'openclaw agent --local' which will run using the local OpenClaw CLI configuration (and thus any API keys or credentials that CLI uses). This reliance on the user's local agent configuration is not declared in the metadata and means prompts/input will be handled by whatever model/account is configured for the CLI.
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system settings, and does not persist or install services. It runs transiently when invoked.
Assessment
This skill appears to do what it says: it shells out to a local OpenClaw agent with a crafted prompt to generate Shopify niche analysis. Before installing or running it: 1) Review the analyze.sh file (you already have it) and confirm you are comfortable running it; 2) Ensure the 'openclaw' CLI is installed from a trusted source — the script assumes that binary exists but the metadata doesn't declare it; 3) Check your OpenClaw/LLM CLI configuration (API keys, account) because your input and prompt will be handled by that configured account/provider; do not pass sensitive credentials or private data to the script/prompt; 4) If you need offline or local-only operation, verify the openclaw agent can run locally without sending data to an external provider; 5) If you want the skill to self-containedly require the CLI, ask the maintainer to add the 'openclaw' binary to required-binaries or include installation instructions. Overall risk is low, but be mindful of what you send to your model provider via the CLI.Like a lobster shell, security has layers — review code before you run it.
latestvk9794dj70xfyk8g7nans1267qn83pty6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.