ClawHub
Back to skill
v0.1.0

Supply Chain Optimization Shopify

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:00 AM.

Analysis

The skill appears to be a legitimate Shopify/DTC analysis helper, but users should verify the install source and treat optional Shopify/ShipBob API tokens as sensitive.

GuidanceThis skill looks appropriate for manual Shopify/DTC supply-chain analysis. Before installing, verify the Nexscope repository and publisher. Do not provide Shopify or ShipBob tokens unless you need API-based analysis, and if you do, use least-privilege read-only scopes where possible and avoid exposing unnecessary customer or order details.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
npx skills add nexscope-ai/eCommerce-Skills --skill supply-chain-optimization-shopify -g

The documented installation path uses a user-run npx command and a global skill install from an external repository. This is normal installation documentation, but it is still a provenance point users should verify.

User impactInstalling from the wrong or untrusted repository could add code or instructions different from what the user expects.
RecommendationConfirm the repository and publisher before running the install command, and prefer pinned or trusted sources when available.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export SHOPIFY_STORE_URL="xxx.myshopify.com"
export SHOPIFY_ACCESS_TOKEN="xxx" ... | Orders | Orders API | ... | Customers | Customers API |

The skill documents optional Shopify Admin API credentials and access to orders, products, inventory, and customers. This is expected for store analysis, but it is delegated account access to sensitive business and customer data.

User impactA broad Shopify Admin token could expose store operations, customer records, and order history to the agent session if the user provides it.
RecommendationOnly provide a Shopify token when needed, use the narrowest possible API scopes, avoid sharing unnecessary customer data, and revoke or rotate tokens after use.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
### 3PL API (e.g., ShipBob)

export SHIPBOB_API_TOKEN="xxx"

The skill contemplates integration with a third-party logistics API. This is relevant to the supply-chain purpose, but the artifacts do not spell out data boundaries, token scopes, or what fulfillment data would be read.

User impactIf used, fulfillment or logistics account data may be brought into the agent context or accessed through a provider API.
RecommendationUse least-privilege 3PL tokens, avoid pasting unnecessary sensitive fulfillment/customer details, and confirm what data is needed before enabling the integration.