ClawHub

Profit Margin Calculator Shopify

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a local calculator with no credential use, but its script looks like an Amazon/FBA margin calculator while the skill is advertised as Shopify/DTC.

Do not treat this as a verified Shopify/DTC calculator until the fee logic is checked. It appears safe from a credential/data-access perspective, but the visible script may calculate Amazon/FBA-style margins rather than Shopify payment-processing and 3PL costs.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI09: Human-Agent Trust Exploitation
Medium
What this means

A seller may receive margin calculations based on Amazon-style fees instead of Shopify/DTC costs, which could lead to incorrect pricing or profitability decisions.

Why it was flagged

The runnable script is visibly structured around Amazon/FBA referral and fulfillment fees, while SKILL.md advertises a Shopify/DTC calculator with no platform commission and Shopify payment processing assumptions. This mismatch could mislead users or agents into relying on the wrong fee model.

Skill content
"Amazon Profit Calculator - Core Engine" ... "Amazon Referral Fee Rates" ... "FBA_FULFILLMENT_FEES"
Recommendation

Verify the calculator output before relying on it. The maintainer should either align the script with Shopify/DTC fee logic or clearly rebrand the skill as an Amazon/FBA calculator.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing from an external source can add or update local skill files globally.

Why it was flagged

The install documentation points to a global npx-based install from an external source. This is disclosed and not suspicious by itself, but it is still a provenance point users should trust before running.

Skill content
npx skills add nexscope-ai/eCommerce-Skills --skill profit-margin-calculator-shopify -g
Recommendation

Only run the install command if you trust the referenced publisher/source, and prefer pinned or verified releases where available.