ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Profit Margin Calculator Shopify

v0.1.0

Shopify/DTC profit margin calculator for sellers. Calculate cost breakdowns including ad spend, CAC, payment processing fees, and 3PL costs. Includes LTV/CAC...

0· 54·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md advertises a Shopify/DTC calculator (Shopify Payments, no platform commission), but scripts/calculator.py is labelled 'Amazon Profit Calculator' and contains Amazon referral fee rates, FBA fulfillment/storage fee tables, and Amazon category mappings. That mismatch means the implementation may produce results inappropriate for Shopify sellers or may be a generic Amazon-focused engine repackaged as a Shopify tool.
Instruction Scope
Runtime instructions are simple: run the bundled Python script with optional JSON args. SKILL.md does not request credentials or direct the agent to read unrelated system files. However the README includes an npx command to 'add' a nexscope package (npx skills add nexscope-ai/eCommerce-Skills), which would fetch code from a remote source if a user runs it — this is an external action outside the registry install and should be treated cautiously. The provided portion of the Python file shows no networking or env access, but the file content in the prompt was truncated, so unseen code could change this assessment.
Install Mechanism
There is no formal install spec in the registry (instruction-only plus a bundled script). That is lower-risk in that nothing is automatically downloaded by the registry, but the README recommends running an npx command that would pull an external package; users should not run such commands without inspecting the source. The skill bundle itself contains a local Python script (no external downloads declared).
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The visible code imports standard libraries only and does not reference env vars or secrets in the shown portion.
Persistence & Privilege
Flags show always:false and default agent invocation settings. The skill does not request permanent presence or elevated privileges in the manifest. Nothing in the provided materials indicates the skill will modify other skills or system-wide agent settings.
What to consider before installing
This package is internally inconsistent: the README markets a Shopify/DTC tool but the included Python script appears Amazon/FBA-focused. Before installing or running anything: 1) Inspect the full scripts/calculator.py file (the provided snippet is truncated) for any network calls, filesystem access, or use of environment variables or credentials. 2) Do NOT run the npx command in the README unless you have reviewed the remote package repository and trust the publisher. 3) If you need a Shopify-specific calculator, confirm the code uses Shopify payment fee logic (2.9% + $0.30) and does not apply Amazon referral/FBA fees; test outputs with known inputs. 4) Consider running the script in a sandbox or VM and run static scans (look for 'requests', 'urllib', 'os.environ', 'subprocess') to detect hidden behavior. 5) If you cannot validate the origin (homepage/source unknown), prefer a skill with a verifiable source or request the author to clarify why Amazon data is present and provide a Shopify-only configuration option.

Like a lobster shell, security has layers — review code before you run it.

latestvk977t9dch9kpyqvw582vjh0sw183c709

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments