ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Theme Selector

v1.0.0

Shopify theme recommendation and evaluation for any niche. Compare free vs paid themes, analyze conversion features, and get a customization roadmap for your...

0· 60·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and analyze.sh are coherent with a theme-recommendation purpose: they build a detailed prompt and request a generated report. However, the code relies on an 'openclaw' CLI and python3 which are not declared in the skill metadata as required binaries, creating an inconsistency between what the skill says it needs and what it actually uses.
Instruction Scope
The instructions and script remain within the stated purpose (generate theme recommendations, checklists, and roadmaps). They do not read arbitrary files or request credentials. The script takes only a text argument and posts the prompt to a local CLI client.
Install Mechanism
No install spec is present (instruction-only), and the bundled shell script is self-contained (no downloads or archive extraction). There is no high-risk install mechanism included.
!
Credentials
The skill declares no required environment variables, yet the script expects and calls external binaries (openclaw and python3). The absence of declared runtime dependencies or explanation of whether the local 'openclaw' call will access remote services or credentials is a proportionality/visibility gap that could hide unexpected data flows.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or modify other skills. The script does not write to system-wide configuration or alter other components.
What to consider before installing
This skill appears to do what it claims, but the analyze.sh script runs a local 'openclaw' CLI and uses python3 — neither is declared in the metadata. Before installing or running it: 1) verify you have an official openclaw CLI installed from a trusted source and understand whether that CLI will send data to remote services (the script invokes the local agent which may call remote models); 2) ensure python3 is available; 3) run the script with non-sensitive test input first to confirm behavior; 4) ask the author to update the skill metadata to list required binaries and document whether any remote network calls or credential access occur; and 5) if you are unsure about the openclaw binary, run the script in a sandboxed environment. The mismatch between declared requirements and actual runtime calls is the main risk here.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b68ja9y4y84mnrj7nrayzfd83e99m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments