ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify SEO

v1.0.0

Provides comprehensive SEO audits and optimization strategies tailored for Shopify stores, including technical SEO, product pages, blogs, and site structure.

0· 39·0 current·0 all-time
bynexscope-ai@nexscope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and content describe Shopify SEO audits and recommendations and do not request unrelated capabilities. However, the SKILL.md claims a vendor (Nexscope) and provides an npx install command not reflected in the registry metadata (source: unknown, homepage: none), which is an inconsistency worth verifying.
Instruction Scope
Runtime instructions are purely advisory (how to use the skill and what outputs to produce) and do not instruct the agent to read local files, environment variables, or to transmit data to unexpected endpoints. The scope aligns with a guidance-only SEO skill.
!
Install Mechanism
Although the registry lists no install spec (instruction-only), SKILL.md contains an explicit 'npx skills add nexscope/shopify-seo' command that would download and run code from npm. That external install source is not declared in the registry metadata and could fetch arbitrary code — treat the npx instruction as an external-code risk until you verify the package and publisher.
Credentials
The skill declares no required environment variables, credentials, or config paths. For an advisory SEO skill this is proportionate; be cautious if the agent later asks for Shopify admin API keys or other secrets, which are not currently declared.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings. There is no indication it attempts to modify other skills or system-wide configuration.
What to consider before installing
This skill appears to be an advice-only Shopify SEO guide, but there are two red flags to check before installing or following its 'npx' instruction: (1) the registry metadata lists no source or homepage, yet SKILL.md points to Nexscope and an npm-style install (nexscope/shopify-seo). Verify the package exists on npm and the publisher is legitimate (check npm/GitHub repository, read the package code and recent release history). (2) Never run npx or install packages you haven't inspected — npx executes code from the network. If the skill or agent later asks for Shopify admin API credentials, only provide least-privilege, time-limited access (or use a read-only storefront URL) and prefer using official OAuth apps or store backups. If you want lower risk, use this skill in a sandboxed environment or ask for a clear install spec hosted on a known repository before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk9720rh0069tx6z7r3w3c19xgs841553

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments