ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Dropshipping

v1.0.0

Dropshipping setup and scaling — supplier integration, automation, pricing strategy, customer experience

0· 80·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description promise strategy and guidance only; the skill requests no credentials, binaries, or config paths and contains no code files, which is consistent with an advice-only skill.
Instruction Scope
SKILL.md stays within advisory scope (audits, recommendations, timelines) and does not instruct the agent to access Shopify APIs, local files, or secrets. However, it includes an 'Install' command that instructs the user to fetch an external package via npx, which expands the runtime footprint beyond the instruction-only content.
!
Install Mechanism
Registry metadata contains no install spec, yet SKILL.md tells users to run 'npx skills add nexscope-ai/eCommerce-Skills --skill shopify-dropshipping -g'. That command will fetch and run code from npm/remote, likely doing a global install — a higher-risk action not represented in the manifest or linked to a verified homepage.
Credentials
The skill declares no required environment variables or credentials and the instructions do not ask for secrets. This is proportionate for a strategy/advisory skill.
Persistence & Privilege
always is false and default autonomy is allowed (normal). The skill does not request persistent system-level config or modify other skills per the manifest.
What to consider before installing
This skill appears to be advice-only and doesn't ask for Shopify credentials, but its README tells you to run an npx command that will fetch and install third-party code (globally). Before running that command, verify the npm package and author (inspect the package repository, audit its code, and prefer a non-global install). Because the registry lists no homepage/source, confirm the Nexscope identity and read the package contents. If you only want strategy and recommendations, you can use the SKILL.md text without running the npx install. If you plan to install the package, review it first and avoid providing any Shopify API keys or secrets unless you understand why they're needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk971a5j68s2wxtb8kgbqj6f96584kyya

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments