ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Social Content Planner

v1.0.0

30-day social media content calendar for Shopify stores. Plan Instagram, TikTok, Pinterest, and Facebook content with captions, hashtags, and posting schedul...

0· 60·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (generate a 30-day social content plan) aligns with the SKILL.md and the analyze.sh script, which builds a prompt and requests a generated report. However, analyze.sh depends on an 'openclaw' CLI and python3 at runtime even though the skill declares no required binaries or environment variables; that is an inconsistency the author should justify.
Instruction Scope
SKILL.md and analyze.sh remain scoped to generating content (prompt construction, formatting, and printing). The script does not read arbitrary files or environment variables itself. However, it invokes 'openclaw agent' with the generated prompt — that agent could forward prompts/data to remote models or services, which is outside the skill's textual scope and not documented here.
Install Mechanism
No install spec or external downloads are present and the shell script is readable (no obfuscated code or remote fetches). This limits install-time risk, but the script is executable and will require locally-available tooling to run.
!
Credentials
The skill declares no required environment variables or primary credential, yet analyze.sh calls 'openclaw agent' and python3. The openclaw agent may rely on stored API keys, model credentials, or network access not declared by the skill; the lack of any declared credential requirements is disproportionate to that dependency and should be clarified.
Persistence & Privilege
The skill is not marked 'always' and does not attempt to persist configuration, modify other skills, or write to system-wide config. It appears to be runtime-only and user-invocable, which is appropriate for its purpose.
What to consider before installing
Before installing or running this skill: (1) Note that analyze.sh expects an 'openclaw' CLI and python3 — confirm these are present and understand their provenance. (2) Ask the author to declare required binaries and any environment variables (model/API keys) the openclaw agent needs. (3) Understand that the script sends your prompt to the local 'openclaw agent' which may forward data to remote models or services — if you care about confidentiality, run it in a sandbox or with an agent you control. (4) Review the openclaw CLI behaviour (does it require network access or API keys?) and verify the referenced domain (clawhub.ai) independently. (5) If you cannot validate the openclaw agent, avoid running the script on sensitive data or run it in an isolated environment. Additional information from the skill author about the intended runtime environment and credential usage would reduce uncertainty.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fnry38w69yzqt9am7z7217d83e0p9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments