Shopify Pr Strategy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a PR-strategy prompt generator, with the main caveat that it enables Bash and includes a local OpenClaw agent wrapper.
This skill looks generally safe for generating PR strategy content. Before installing, note that it is not purely prompt-only: it enables Bash and includes a helper that calls a local OpenClaw agent. Do not provide confidential store or business information unless you are comfortable with how your local OpenClaw sessions handle that data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill is invoked through its helper workflow, local command execution is available rather than only model text generation.
The skill enables Bash for a PR-strategy content task. The included script appears purpose-aligned, but Bash is broader authority than a pure prompt-only strategy generator would need.
allowed-tools: Bash
Install only if you are comfortable with the skill having Bash access; maintainers could reduce risk by removing Bash if it is not required.
The skill may fail or behave differently depending on the local OpenClaw CLI available in the user's environment.
The helper relies on an OpenClaw CLI invocation, while the supplied requirements declare no required binaries, making the runtime dependency under-declared.
openclaw agent --local --message "${PROMPT}" --session "${SESSION_ID}"Document the OpenClaw CLI dependency in the skill metadata or remove the helper script if the skill is intended to be instruction-only.
Store URLs, brand descriptions, or other details supplied to the helper may be processed in another local agent session.
The script delegates the generated prompt and user-provided store details to a separate local agent session. No external endpoint is shown, but the nested agent boundary is not described in the user-facing instructions.
openclaw agent --local --message "${PROMPT}" --session "${SESSION_ID}"Avoid entering confidential business details unless you understand how local OpenClaw agent sessions are stored and scoped.