ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

icosmos

v0.0.1

Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)。

0· 196·0 current·0 all-time
by王新勇(Tacey Wong)@taceywong

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for taceywong/icosmos.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "icosmos" (taceywong/icosmos) from ClawHub.
Skill page: https://clawhub.ai/taceywong/icosmos
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install icosmos

ClawHub CLI

Package manager switcher

npx clawhub@latest install icosmos
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description says it pulls shop domains and tokens from Supabase and runs Shopify diagnostics (mostly read-only, with an optional blog publish). That purpose would legitimately require access to Supabase and Shopify credentials. However, the registry metadata declares no required env vars, no primary credential, and no required binaries — a mismatch with the SKILL.md which references ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD, SHOPIFY_API_VERSION, and an on-disk 'icosmos-shopify' CLI. The lack of declared Supabase access parameters (URL, key) is also inconsistent with claimed behavior.
!
Instruction Scope
SKILL.md instructs the agent to run a local CLI (./icosmos-shopify) and to 'sync stores & tokens to local cache' using ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD. It references reading Shopify data, suppressing sensitive fields, and a write action (blog publish) gated by --confirm. The instructions reference accessing and caching sensitive tokens and require env vars not declared elsewhere. There are no instructions about where Supabase credentials come from, how cached tokens are stored/encrypted, or what exact network endpoints are used — leaving wide discretion and potential for secret exposure.
!
Install Mechanism
There is no install spec and no code files in the package, yet the runtime instructions require a local binary named icosmos-shopify to exist in the current directory. That is incoherent: either the binary must be provided by the publisher (but it's not included) or the instructions assume an out-of-band install step (not documented). Lack of a documented, trusted install source for executable code is a notable risk.
!
Credentials
The SKILL.md requires ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD to be saved as system environment variables and references Shopify tokens and Supabase-hosted tokens. The published metadata lists no required env vars or primary credentials. Requesting persistent system env storage of credentials and syncing tokens into a local cache is a high-impact capability and should be explicitly declared and justified. There is no mention of Supabase URL/service key or least-privilege Shopify token scopes.
!
Persistence & Privilege
The skill will persistively sync Shopify tokens into a local cache per the instructions and asks users to save credentials to system env. While always:false and normal autonomous-invocation defaults are set, the combination of undisclosed persistence of tokens and undisclosed binary source increases risk. There is no documentation of where the cache resides, its permissions, or encryption, nor any provenance for the executable that will perform those writes.
What to consider before installing
Do not install or run this skill until the publisher answers basic provenance and security questions. Specifically ask: (1) Where does the icosmos-shopify binary come from? Provide a verified download or source repo and an install spec. (2) How does setup authenticate to Supabase — what URL and service key are required, and why are those not declared? (3) Exactly which environment variables (names and purposes) are required and why must ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD be stored as system env vars? (4) Where and how are synced Shopify tokens cached on disk? Are they encrypted and access-controlled? (5) What Shopify token scopes are required and can least-privilege tokens be used? Until you get clear answers and a verifiable install/source (or can run the binary in a safe, isolated environment and inspect it), treat this skill as untrusted. If you must test it, run it in an isolated VM or container, avoid placing long-lived secrets in global env vars, and prefer short-lived or scoped credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c017ng6mqdwpb9fhdm8rw4h833te4
196downloads
0stars
1versions
Updated 22h ago
v0.0.1
MIT-0
王新勇(Tacey Wong)@taceywong
latest
Download

icosmos-shopify

面向 OpenClaw 触发的 Shopify 运营能力集合:以只读诊断为主,帮助定位转化/营销/商品问题;唯一写操作是发布 Shopify Blog 文章(需要明确 --confirm)。

触发

  • 适用场景关键词:店铺审计、装修优化、产品优化、结账/checkout 测试、转化下降、营销效果差、发布博客/引流文章。
  • 触发后执行顺序
    1. setup once:用 ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD 同步店铺与 token 到本地缓存
    2. content/*:拉原始数据(更全面、更可追溯)
    3. audit/* / test checkout:给诊断与验证
    4. blog publish:仅当明确需要发布时执行(必须 --confirm

快速参考

诉求命令
Setup Once:从 Supabase 同步店铺/token 到本地icosmos-shopify setup once
列出店铺icosmos-shopify stores list
获取店铺基础信息(原始数据)icosmos-shopify content shop --store xxx.myshopify.com
获取产品列表(原始数据,分页)icosmos-shopify content products list --store xxx.myshopify.com --first 20 --after <cursor>
获取订单列表(原始数据,时间窗)icosmos-shopify content orders list --store xxx.myshopify.com --start <RFC3339> --end <RFC3339>
获取博客列表/文章(原始数据)icosmos-shopify content blogs list --store xxx.myshopify.com / icosmos-shopify content blogs articles list --store xxx.myshopify.com --blog-id 123
装修检查单(只读)icosmos-shopify audit theme --store xxx.myshopify.com
产品质量诊断(只读)icosmos-shopify audit products --store xxx.myshopify.com --limit 50
结账链路测试(只读)icosmos-shopify test checkout --store xxx.myshopify.com
经营指标与异常线索(只读)icosmos-shopify audit metrics --store xxx.myshopify.com --days 7
发布引流博文(写操作)icosmos-shopify blog publish --store xxx.myshopify.com --blog-id 123 --title ... --body-file article.html --confirm

输出协议(给 OpenClaw 更稳定)

  • 默认推荐 --format jsoncontent/* 默认就是 json),统一结构:
    • store_domain / api_version / meta / data
  • 分页信息
    • GraphQL:meta.page_info.has_next_page/end_cursor
    • REST:meta.page_info.next_link(来自 Link: rel="next"

依赖与配置

  • Setup Onece:

    • ICOSMOS_USER_EMAIL
    • ICOSMOS_USER_PASSWORD

    两个字段需要保存到系统环境变量

    所需命令行工具为当前目录下的icosmos-shopify

Shopify

  • SHOPIFY_API_VERSION(默认 2026-01

安全边界(重要)

  • 默认只读:装修/产品/指标/结账测试均不对 Shopify 做写入。
  • 唯一写操作:发布博客:必须提供 --confirm;否则即使参数齐全也只会 dry-run。
  • 日志脱敏:店铺 token 只显示前后 4 位(abcd...wxyz)。
  • 敏感字段处理:订单 email 等敏感字段默认不输出(或置空),避免在群聊/日志泄露。

常见问题与排障

  • 401/403:Admin token scopes 不足或 token 过期;确认 Shopify Custom App 的 Admin API access token 与权限。
  • 429 Too Many Requests:已做退避重试;如果频繁触发,降低并发/减少拉取字段/缩小时间范围。
  • Storefront 430 Security Rejection:请求可能被判定为异常;需要检查请求来源、token 是否正确,必要时增加更真实的请求头策略(后续增强)。

参考文档

Comments

Loading comments...