ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Supplier Negotiation

v1.0.0

Master supplier negotiation tactics for Shopify store owners to reduce COGS, improve terms, and build better supplier relationships. Triggers: supplier negot...

0· 44·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, and SKILL.md all describe supplier negotiation guidance and the included materials match that purpose. However, the shipped analyze.sh invokes an 'openclaw agent' CLI, yet the skill metadata declares no required binaries — this is an incoherence (the skill will fail or behave differently unless that binary exists).
Instruction Scope
SKILL.md and analyze.sh remain focused on producing negotiation playbooks and templates. The script builds a prompt from user input and sends it to a local 'openclaw agent' process; it does not read unrelated files, environment variables, or contact external URLs directly. The scope is appropriate for the stated purpose, but the script's runtime dependency is not declared.
Install Mechanism
There is no install spec and no downloads or extracted archives — the skill is instruction-only plus a small shell helper. This minimizes install-time risk.
Credentials
The skill declares no environment variables or credentials and the script does not read secrets or configuration files. Requested permissions are proportionate to a negotiation-playbook generator.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and does not modify other skills or system settings. Autonomous invocation settings are the platform defaults.
What to consider before installing
This skill appears to provide legitimate negotiation content, but before installing: 1) verify you have the 'openclaw agent' CLI the analyze.sh script calls (or update the metadata to declare it); otherwise the script will fail. 2) Inspect/approve the openclaw agent binary you will run — the script sends your prompt and input to that tool, so ensure it runs locally and is trusted. 3) Avoid pasting sensitive or proprietary supplier credentials into prompts; the skill doesn't require secrets but any input you provide will be forwarded to the agent process. 4) If you expect the skill to work without installing additional tooling, ask the publisher to remove or replace the analyze.sh dependency or update the required binaries list.

Like a lobster shell, security has layers — review code before you run it.

latestvk978tjedwr69e4njb40nttp7ax83q8gb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments