Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Supply Chain Optimization Shopify
v0.1.0Supply Chain Bottleneck Analyzer for Shopify/DTC stores. Diagnose cash flow, inventory, shipping costs, and customer acquisition efficiency. Includes CAC/LTV...
⭐ 0· 63·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The included Python calculator computes supply‑chain and DTC metrics consistent with the skill's description. However, the SKILL.md explicitly documents Shopify and ShipBob API environment variables for fetching orders/inventory while the registry metadata lists no required credentials — an undeclared optional integration. That inconsistency should be clarified (optional tokens are reasonable for richer analysis, but they must be declared).
Instruction Scope
SKILL.md contains runtime instructions that go beyond local calculation: it tells the user/agent to export SHOPIFY_STORE_URL, SHOPIFY_ACCESS_TOKEN and SHIPBOB_API_TOKEN and to run an npx install command for 'nexscope-ai/eCommerce-Skills'. Those instructions cause network activity (fetching a remote package) and request tokens. The README does not clearly limit what data would be read/sent or how the remote package is trusted.
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md instructs users to run 'npx skills add nexscope-ai/eCommerce-Skills'. That implies downloading and running third‑party code from a package registry at runtime. The distributed bundle does include a local scripts/calculator.py (no obvious network calls in the visible portion), but the npx instruction introduces additional, undeclared code and supply‑chain risk.
Credentials
Registry metadata declares no required environment variables, yet SKILL.md shows example env vars for Shopify and ShipBob tokens. Requesting store tokens is proportionate to accessing Shopify/3PL APIs, but the fact they're not declared in the skill metadata (and the README instructs exporting them) is a red flag: the skill can ask for sensitive credentials without telling the platform upfront. If you provide tokens, prefer least‑privilege/read‑only tokens and explicitly verify what scopes are needed.
Persistence & Privilege
The skill does not request 'always: true' and does not declare any modifications to other skills or global agent config. There is no evidence it requests persistent elevated privileges.
What to consider before installing
This skill's calculator code appears to do what the description promises, but the SKILL.md asks you to (a) export Shopify/ShipBob credentials and (b) npx-install a package from 'nexscope-ai' — neither of which are declared in the registry metadata. Before installing or providing tokens: 1) Verify the publisher (homepage or repository) and confirm the npm package identity; 2) Inspect the full package that 'npx' would fetch (don’t run it blind); 3) If you must supply API credentials, create least‑privilege/read‑only tokens and limit scopes and lifetime; 4) Consider testing with synthetic or sandbox store data first; 5) Ask the publisher to update the skill metadata to declare optional env vars and to provide a trusted homepage/repository and a reproducible install spec. If you cannot verify the remote package or publisher, avoid running the npx install or providing production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9736rsv2snbfjv06nkwgpkcm983cveh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.