Product Differentiation Shopify
v0.1.0Shopify/DTC product differentiation strategy tool. Analyze competitor stores, extract pain points from reviews, identify brand positioning opportunities, and...
⭐ 0· 76·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Shopify/DTC competitor analysis, review mining, USP extraction) match the provided SKILL.md and the presence of a Python analyzer script. There are no declared env vars, binaries, or config paths that contradict the stated purpose. The SKILL.md install/run instructions (npx skills add + python3 scripts/analyzer.py) are consistent with a local analysis tool.
Instruction Scope
SKILL.md limits runtime activity to running the analyzer with store/competitor inputs and describes outputs (comparison matrix, pain points, action plan). It does not specify how reviews/ads/social data are obtained; the README asserts "No API key required," which implies the script may scrape public sources. The instructions do not ask the agent to read unrelated system files or environment secrets, but the source of input data and whether the script performs network access is not explicit in the visible SKILL.md.
Install Mechanism
There is no registry install specification in the metadata and no downloaded archives in the skill bundle. The SKILL.md suggests installing the skill via an npx command (a normal package manager flow) and running a local Python script. No remote arbitrary downloads or extract operations are present in the registry metadata.
Credentials
The skill declares no required environment variables, primary credential, or config paths. The visible portion of analyzer.py does not reference environment secrets. This is proportionate to a tool that analyzes publicly-available store data. You should still inspect the remainder of analyzer.py for any unexpected access to os.environ or other credential use before providing sensitive inputs.
Persistence & Privilege
The skill is user-invocable only (always: false) and does not request persistent/enforced inclusion. There is no evidence it attempts to modify other skills or global agent configuration.
Assessment
This package appears coherent for competitor/store analysis, but before installing or running it you should: 1) review the complete scripts/analyzer.py for any network calls (requests, urllib, aiohttp, selenium, playwright, sockets) or hard-coded endpoints that could exfiltrate data; 2) confirm how the script obtains competitor reviews/ads (scraping vs public APIs) to ensure compliance with target sites' terms of service; 3) run the script in an isolated environment (sandbox or VM) the first time and inspect outbound network traffic; 4) avoid supplying sensitive credentials or private data unless the tool documents a justified need and clear storage/retention policy; and 5) if you want greater assurance, request the full untruncated source or a third-party audit. If you provide the rest of analyzer.py I can re-check specifically for suspicious network/endpoints or hidden credential access.Like a lobster shell, security has layers — review code before you run it.
latestvk9763vg1qc0y44q3hrae3rha5d83c2xd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.