Shopify Niche Finder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to generate a Shopify niche-research report prompt, with no evidence of credential access, exfiltration, destructive actions, or hidden network behavior.
This skill looks low-risk from the provided artifacts. Before installing, be aware that its helper script uses the local OpenClaw agent to generate the report and does not appear to connect to live market-data APIs, so outputs should be treated as research guidance rather than verified financial advice.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your niche-research request would be passed into a local agent process to generate the report.
The helper script uses Bash to start a local OpenClaw agent with the generated research prompt. This is consistent with producing the requested report, but it is broader than a purely static instruction-only skill.
openclaw agent --local --message "${PROMPT}" --session "${SESSION_ID}"Install only if you are comfortable with the skill using the local OpenClaw agent for report generation; maintainers should document this behavior clearly in SKILL.md.
The skill may fail or behave differently depending on the local OpenClaw CLI available in the environment.
The script relies on the openclaw CLI, while the registry requirements list no required binaries. This is an under-declared dependency, not evidence of hidden installation or remote code execution.
openclaw agent --local --message "${PROMPT}"The package should declare the openclaw CLI dependency or explain that the script is optional and requires the OpenClaw runtime.