ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Buy3

v1.0.2

Search, browse, compare, find similar products, and buy from millions of online stores. No API Key required.

0· 240·0 current·0 all-time
by@shopify
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes searching shop.app endpoints and building shopping responses — this aligns with the name/description. However the file claims author "shopify" while the registry shows an unknown owner and no homepage, which could indicate impersonation or an unverified publisher.
!
Instruction Scope
Instructions are detailed and stay within shopping functionality (search, similarity, checkout links). But they explicitly instruct collecting and using user PII (email, shipping address) to pre-fill checkouts and ask for user photos for virtual try-on; they also require sending images (base64) to the similarity API and may send images to image-generation services. These actions can expose sensitive personal data and lead to unexpected data flow to third parties.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written to disk and no third-party binaries or downloads are requested.
Credentials
The skill requests no environment variables or credentials (proportionate). However the runtime behavior solicits user-provided secrets/PII (emails, shipping addresses) and images; pre-filling checkout via query parameters will embed that data in store URLs which may be logged or leaked. No declared credentials contradict the shopping use-case.
Persistence & Privilege
The skill is not always-enabled and has no install-time persistence. It does direct the agent to use platform messaging tools but does not request system-level privileges or modify other skills.
What to consider before installing
This skill appears to implement a shopping assistant against shop.app endpoints and has no install footprint, but there are two things to watch before installing: (1) publisher verification — the SKILL.md claims "shopify" but the registry entry has no homepage or known owner; verify that the publisher is legitimate. (2) privacy/data flow — the instructions ask you to collect user emails, shipping addresses, and photos for pre-filling checkout and virtual try-on. Those items can be sent to third-party stores or image services and may be stored or logged. If you install it, avoid automatically pre-filling sensitive data, require explicit user consent before sending photos or PII, and test with non-sensitive examples first. If you need stronger assurance, ask the publisher for an authoritative homepage or repository and a statement about how user data is handled.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfvs9wfwp0ndc71ymcng9ax83mkz2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments