ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Conversion Optimization

v1.0.0

Analyze and improve Shopify store conversion by optimizing product pages, checkout flow, trust signals, mobile UX, page speed, and implementing A/B tests.

0· 32·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and listed capabilities (product page, checkout, mobile UX, A/B tests, page speed, trust signals, etc.) are consistent and proportionate for a Shopify conversion optimization skill.
Instruction Scope
SKILL.md contains only expected guidance and usage prompts for auditing and optimizing a Shopify store. It does not instruct the agent to read unrelated system files, environment variables, or exfiltrate data.
!
Install Mechanism
Although the skill bundle has no install spec and no code files, SKILL.md includes an 'npx skills add nexscope/shopify-conversion-optimization' instruction. That implies pulling code from an external registry (npm/GitHub). The registry metadata lacks a homepage or source URL to verify that external package, so running the npx command could execute unreviewed code. This is the main inconsistency.
Credentials
The skill declares no required environment variables, credentials, or config paths. That aligns with a consultant-style instruction-only skill that produces recommendations rather than programmatically calling Shopify APIs.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation. It does not request persistent privileges or system-wide configuration changes. No indications that it modifies other skills or agent settings.
What to consider before installing
This skill appears to legitimately describe Shopify conversion work, but exercise caution before running the npx install line included in SKILL.md: 1) verify the publisher (Nexscope) and inspect the referenced package repository or npm page before running npx; 2) prefer to review the package source code in a browser or sandbox rather than executing it directly; 3) do not supply Shopify API keys or other secrets unless you confirm why they are needed and that the package is trustworthy; 4) if you only want human-readable recommendations, you can use the SKILL.md guidance without running the npx installer. If the vendor/repo can be provided or the package contents are available for review, the assessment confidence can be raised to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a5kr82cn3h22wtgqen6nx75841hkn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments