Back to skill
Skillv1.0.0
ClawScan security
Shopify App Recommendations · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 6:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested capabilities, instructions, and lack of required credentials are consistent with a guidance-only Shopify app advisor; nothing in the skill itself asks for unrelated access.
- Guidance
- This skill appears to be a guidance-only Shopify app advisor and does not request credentials or access to your store. The one thing to watch for: SKILL.md suggests installing a package via npx (nexscope-ai/eCommerce-Skills). Running npx will fetch and execute remote code—only run that if you trust the nexscope publisher; inspect the package repository first. Do not share store admin credentials or API keys with the skill; if you need concrete audits tied to your store, prefer explicit, vetted integrations that request only the minimum required permissions.
Review Dimensions
- Purpose & Capability
- okName and description (Shopify app recommendations) match the instructions: strategic guidance, app comparisons, and implementation plans. The skill explicitly states it does not perform direct Shopify API integration, which aligns with the absence of credential or config requirements.
- Instruction Scope
- okSKILL.md provides guidance-only instructions and example prompts. It does not instruct the agent to read local files, environment variables, or contact external endpoints beyond linking Nexscope for product info. The scope is limited to advisory outputs and user-provided context.
- Install Mechanism
- noteThere is no formal install spec in the registry (instruction-only), but SKILL.md suggests an npx command that would fetch code (nexscope-ai/eCommerce-Skills). Running npx will execute remote code from npm/GitHub—review that package/source before running the command.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. This is proportionate to a guidance-only advisor that does not integrate with Shopify APIs.
- Persistence & Privilege
- okalways is false and the skill requests no elevated or persistent system privileges. It's user-invocable and does not attempt to modify other skills or system-wide settings.