ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Traffic Analyzer

v1.0.0

Website traffic analysis and growth strategy for Shopify stores. Estimate traffic sources, benchmark against competitors, identify growth channels, and build...

0· 64·0 current·0 all-time
by@mguozhen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description align with its behavior: it builds a traffic-analysis prompt and produces a growth report. However, the executable analyze.sh invokes the local 'openclaw' agent CLI and python3; the registry metadata lists no required binaries. Requiring a local agent CLI is reasonable for generating model-backed reports, but the dependency is not declared, which is an inconsistency.
Instruction Scope
SKILL.md is scoped to Shopify traffic analysis and the included analyze.sh sticks to that: it constructs a prompt and asks a model to generate a report. It does not read unrelated files or require extra environment variables. Caveat: analyze.sh sends the user-provided input to the local 'openclaw' agent — depending on how that agent is configured, that data could be transmitted to external model providers. The SKILL.md does not mention this or warn about sensitive inputs.
Install Mechanism
There is no install spec and no network downloads. The only code shipped is analyze.sh (and SKILL.md). No archives or external installers are used.
Credentials
The skill declares no required environment variables or credentials, and the script doesn't ask for secrets. But it does require (implicitly) the 'openclaw' CLI and python3 to be present — these were not declared in the metadata. Also, because it forwards the input to a model via the local agent, secrets included in the input could be exposed to whatever backend the local agent uses.
Persistence & Privilege
The skill is not persistent (always: false) and does not modify system or other skills' configuration. It only spawns a local agent process and prints a report.
What to consider before installing
Before installing or running this skill, inspect analyze.sh (already included) and verify you are comfortable with what it runs. Specifically: (1) confirm the 'openclaw' CLI and python3 are available where you plan to run it — the skill metadata did not declare these binaries; (2) understand that analyze.sh sends whatever input you provide to the local OpenClaw agent — if that agent is configured to call external model providers, any sensitive data you include (API keys, private store URLs, customer PII) may be transmitted to third parties; (3) run the script in a controlled environment (no secrets in arguments), or modify the script to sanitize inputs or use a private model/backend; (4) if you need exhaustive guarantees about data handling, ask the maintainer how the local 'openclaw' agent is configured or run the prompt generation against a model instance you control. The skill appears coherent for its stated purpose, but the undeclared dependency on a CLI that may forward data externally is the main reason to proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97armcv16wafny457a65mwhxn83def7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments