ClawHub

Supply Chain Optimization Shopify

Security checks across malware telemetry and agentic risk

Overview

This skill appears legitimate, but it needs review because its Shopify-focused analysis uses Amazon/FBA assumptions and it asks users to export sensitive Shopify/ShipBob tokens without handling guidance.

Review before installing. Manual calculator use does not appear to require credentials, but treat its Shopify recommendations cautiously because parts of the implementation use Amazon/FBA assumptions. Only provide Shopify or ShipBob tokens if needed, use narrowly scoped read-only credentials, avoid saving them in shell history or shared logs, and rotate any token that may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is marketed as a Shopify/DTC supply-chain analyzer, but the calculator logic and defaults are centered on Amazon/FBA concepts such as FBA fees and Amazon-oriented benchmarks. This can mislead users into making operational or financial decisions based on the wrong business model, producing materially inaccurate advice rather than a direct code-execution exploit.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The cash-cycle calculation hardcodes a 14-day 'AmazonPayment Cycle' regardless of selected platform, which is inconsistent with a Shopify-focused skill and with the platform-specific benchmark table. Users relying on this output could underestimate or overestimate working-capital needs, causing bad purchasing, inventory, or financing decisions.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The README instructs users to export live API credentials for Shopify and ShipBob without any accompanying guidance on secure secret handling. While it does not disclose real tokens, normalizing unsafe credential practices can lead users to place secrets in shell history, shared terminals, logs, screenshots, or improperly scoped environments, increasing the chance of credential leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal