ClawHub
Back to skill
v1.0.0

Shopify Supplier Negotiation

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:27 AM.

Analysis

The skill content is mostly supplier-negotiation advice, but it grants broad Bash/local-agent execution authority that is not clearly necessary for an advisory skill.

GuidanceReview this skill before installing because it grants Bash and includes a helper that launches a local OpenClaw agent, which is broader than needed for supplier-negotiation advice. If you only need negotiation scripts and frameworks, prefer a version without Bash access, and avoid entering confidential supplier terms unless you trust the local session handling.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
allowed-tools: Bash

The skill is marketed as generating supplier-negotiation advice, but this front matter permits use of a broad shell tool that is not tightly scoped to producing text guidance.

User impactInstalling it may allow the agent to run local shell commands while handling a negotiation-advice task.
RecommendationRemove Bash permission for a text-only advisory skill, or document the exact helper command and require explicit user approval before any local command runs.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
analyze.sh
openclaw agent --local --message "${PROMPT}" --session "${SESSION_ID}"

The helper executes a local OpenClaw agent command. The command is not destructive and is aligned with generating the playbook, but it is still extra local execution for a skill that appears able to function as plain instructions.

User impactYour request can be handed to a local agent process rather than being handled only as static skill instructions.
RecommendationReview the helper before running it and avoid automatic execution unless you are comfortable with the local OpenClaw invocation.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
install spec
No install spec — this is an instruction-only skill.

The package is described as instruction-only with no install spec, while the provided files include a helper script that depends on running the OpenClaw CLI. This is a dependency/declaration gap, not evidence of hidden installation.

User impactThe skill may rely on a local command that is not clearly declared in the registry requirements.
RecommendationDeclare the OpenClaw CLI dependency or remove the helper script if the skill is intended to be instruction-only.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
analyze.sh
SESSION_ID="shopify-supplier-neg-$(date +%s)"

The helper creates a named session and sends the user's supplier-negotiation request into it, meaning business details may become part of session context.

User impactSupplier terms, product categories, or negotiation details entered into the skill could be retained in a local agent session context.
RecommendationAvoid entering highly confidential supplier data unless you trust how local OpenClaw sessions are stored and reused.