Shopify Marketing

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is an instruction-only Shopify marketing advice skill, with the only notable caution being a user-run external install command in the documentation.

This skill appears safe as a marketing-advice prompt. Before using the documented install command, verify the linked Nexscope/GitHub source because it is separate from the registry’s no-install-spec artifact set.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

If a user runs the documented command, they are trusting the external repository and global installation behavior.

Why it was flagged

The skill documentation includes a user-run install command that pulls from an external repository and installs globally, while the registry lists no formal install spec. This is a provenance/install caution, not evidence of hidden or automatic execution.

Skill content

npx skills add nexscope-ai/eCommerce-Skills --skill shopify-marketing -g

Recommendation

Only run the install command after verifying the repository and publisher are the intended source.