ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

icosmos Amazon

v0.0.1

Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)。

0· 189·0 current·0 all-time
by王新勇(Tacey Wong)@taceywong·duplicate of @taceywong/icosmos

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for taceywong/icosmos-amazon.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "icosmos Amazon" (taceywong/icosmos-amazon) from ClawHub.
Skill page: https://clawhub.ai/taceywong/icosmos-amazon
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install icosmos-amazon

ClawHub CLI

Package manager switcher

npx clawhub@latest install icosmos-amazon
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Metadata/packaging mismatch: the registry name is 'icosmos Amazon' but the SKILL.md and description refer exclusively to Shopify ('icosmos-shopify'). The SKILL.md's purpose (Shopify store diagnostics, reading tokens from Supabase, only one write action to publish a blog) is plausible, but the package-level name/description inconsistency is confusing and could indicate sloppy packaging or mislabeling.
!
Instruction Scope
The runtime instructions say the skill will '从 Supabase 拉取店铺域名与 token' and that setup requires ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD to be saved in system env. The instructions also require a local CLI binary named 'icosmos-shopify' to exist in the current directory. None of these requirements are declared in the skill metadata. The instructions therefore expect access to sensitive shop tokens and to persist credentials locally — a scope that should have been explicitly declared.
Install Mechanism
This is an instruction-only skill (no install spec), which is low-risk by itself. However, SKILL.md expects a local executable './icosmos-shopify' to be present and run; the registry metadata lists no required binaries. That mismatch means the skill implicitly depends on an external binary (unknown origin), which you must supply or trust.
!
Credentials
Registry metadata lists no required environment variables, but SKILL.md explicitly instructs the user to store ICOSMOS_USER_EMAIL and ICOSMOS_USER_PASSWORD in system environment variables and notes that it will pull/store shop tokens. These are sensitive credentials (and Shopify admin tokens are high-privilege). The skill also references SHOPIFY_API_VERSION. Requesting persistent system env storage and local caching of tokens is disproportionate to the fact that no envs were declared in metadata and should be justified and documented.
Persistence & Privilege
The package does not request always:true and has no install script, so it does not force persistence at the platform level. But SKILL.md instructs storing user credentials in system env and caching shop tokens locally. That creates on-disk/long-lived secrets under the user's responsibility — a persistence design choice the user should understand and control.
What to consider before installing
Do not install or provide credentials until you verify the source. Key things to check before using: 1) Confirm whether the skill author intended this for Shopify (metadata/name mismatch). 2) Ask the author to update the package metadata to declare required env vars and the dependency on a local 'icosmos-shopify' binary (and provide its origin). 3) Never put high-privilege Shopify admin tokens or long-lived passwords into system-wide environment variables unless you trust the code and have minimized scopes; prefer temporary tokens or least-privilege app tokens. 4) Understand where Supabase credentials come from: who controls that DB and what data (shop tokens) will be returned and cached. 5) If you must test, do so in a sandbox store with limited-scoped tokens and use the blog publish --confirm safeguard only after manual review. If the author cannot explain the metadata/binary/env inconsistencies, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97actf2qtne3tgegvyxjyz6n1832069
189downloads
0stars
1versions
Updated 21h ago
v0.0.1
MIT-0
王新勇(Tacey Wong)@taceywong
latest
Download

icosmos-shopify

面向 OpenClaw 触发的 Shopify 运营能力集合:以只读诊断为主,帮助定位转化/营销/商品问题;唯一写操作是发布 Shopify Blog 文章(需要明确 --confirm)。

触发

  • 适用场景关键词:店铺审计、装修优化、产品优化、结账/checkout 测试、转化下降、营销效果差、发布博客/引流文章。
  • 触发后执行顺序
    1. setup once:用 ICOSMOS_USER_EMAIL / ICOSMOS_USER_PASSWORD 同步店铺与 token 到本地缓存
    2. content/*:拉原始数据(更全面、更可追溯)
    3. audit/* / test checkout:给诊断与验证
    4. blog publish:仅当明确需要发布时执行(必须 --confirm

快速参考

诉求命令
Setup Once:从 Supabase 同步店铺/token 到本地icosmos-shopify setup once
列出店铺icosmos-shopify stores list
获取店铺基础信息(原始数据)icosmos-shopify content shop --store xxx.myshopify.com
获取产品列表(原始数据,分页)icosmos-shopify content products list --store xxx.myshopify.com --first 20 --after <cursor>
获取订单列表(原始数据,时间窗)icosmos-shopify content orders list --store xxx.myshopify.com --start <RFC3339> --end <RFC3339>
获取博客列表/文章(原始数据)icosmos-shopify content blogs list --store xxx.myshopify.com / icosmos-shopify content blogs articles list --store xxx.myshopify.com --blog-id 123
装修检查单(只读)icosmos-shopify audit theme --store xxx.myshopify.com
产品质量诊断(只读)icosmos-shopify audit products --store xxx.myshopify.com --limit 50
结账链路测试(只读)icosmos-shopify test checkout --store xxx.myshopify.com
经营指标与异常线索(只读)icosmos-shopify audit metrics --store xxx.myshopify.com --days 7
发布引流博文(写操作)icosmos-shopify blog publish --store xxx.myshopify.com --blog-id 123 --title ... --body-file article.html --confirm

输出协议(给 OpenClaw 更稳定)

  • 默认推荐 --format jsoncontent/* 默认就是 json),统一结构:
    • store_domain / api_version / meta / data
  • 分页信息
    • GraphQL:meta.page_info.has_next_page/end_cursor
    • REST:meta.page_info.next_link(来自 Link: rel="next"

依赖与配置

  • Setup Onece:

    • ICOSMOS_USER_EMAIL
    • ICOSMOS_USER_PASSWORD

    两个字段需要保存到系统环境变量

    所需命令行工具为当前目录下的icosmos-shopify

Shopify

  • SHOPIFY_API_VERSION(默认 2026-01

安全边界(重要)

  • 默认只读:装修/产品/指标/结账测试均不对 Shopify 做写入。
  • 唯一写操作:发布博客:必须提供 --confirm;否则即使参数齐全也只会 dry-run。
  • 日志脱敏:店铺 token 只显示前后 4 位(abcd...wxyz)。
  • 敏感字段处理:订单 email 等敏感字段默认不输出(或置空),避免在群聊/日志泄露。

常见问题与排障

  • 401/403:Admin token scopes 不足或 token 过期;确认 Shopify Custom App 的 Admin API access token 与权限。
  • 429 Too Many Requests:已做退避重试;如果频繁触发,降低并发/减少拉取字段/缩小时间范围。
  • Storefront 430 Security Rejection:请求可能被判定为异常;需要检查请求来源、token 是否正确,必要时增加更真实的请求头策略(后续增强)。

参考文档

Comments

Loading comments...