ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopflow Read-only Packet

v1.0.0

Guides installation and connection to Shopflow's local MCP server for read-only submission readiness checks without live store claims.

0· 66·0 current·0 all-time
byYifeng[Terry] Yu@xiaojiou176

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaojiou176/shopflow-read-only-packet.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Shopflow Read-only Packet" (xiaojiou176/shopflow-read-only-packet) from ClawHub.
Skill page: https://clawhub.ai/xiaojiou176/shopflow-read-only-packet
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install shopflow-read-only-packet

ClawHub CLI

Package manager switcher

npx clawhub@latest install shopflow-read-only-packet
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the instructions: the packet teaches how to attach and inspect a local Shopflow MCP read-only surface. However, the manifest declares no required binaries while the instructions implicitly require git, Node.js (pnpm), and a working pnpm toolchain — a mismatch that should be fixed in metadata.
Instruction Scope
SKILL.md stays within the stated purpose (clone the Shopflow repo, start the read-only MCP, run verification commands, and report capability/readiness). It does instruct the host to run pnpm install and pnpm mcp:stdio against a remote GitHub repo, which will execute code fetched from that repo and its npm dependencies — expected for this purpose but a real safety consideration (inspect the repo/package scripts before running on sensitive hosts).
Install Mechanism
There is no install spec (instruction-only), which is low-risk for the skill package itself. But the runtime instructions pull code and dependencies via git and pnpm from an external GitHub repository and npm registry; that network fetch is normal for this workflow but carries the usual risks of running upstream code.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond a repo path placeholder. Nothing asks for unrelated secrets or system credentials.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges, nor does it attempt to modify other skills' configs. It is user-invocable and can be invoked autonomously by the agent (platform default).
Assessment
This packet appears to do what it says: it teaches how to attach a local, read-only Shopflow MCP server. Before you run anything, do the following: (1) add/confirm required binaries in the manifest (git, Node.js, and pnpm) so metadata matches behavior; (2) review the GitHub repo (https://github.com/xiaojiou176-open/shopflow-suite.git) and package.json/scripts to ensure you trust what pnpm install and pnpm mcp:stdio will run; (3) run installs and the MCP server in a sandbox or isolated environment (not on a production host) if you have any doubt; (4) prefer to clone the repo locally and inspect files before executing; and (5) note this skill does not request credentials, but running third‑party installs will contact npm/GitHub and fetch remote code — treat that as the main risk. If you want higher assurance, ask the skill author to declare required binaries in manifest and to provide checksums or an official release URL for the referenced repo.

Like a lobster shell, security has layers — review code before you run it.

distributionvk97ctp9897wp5dp60r9tj0b3cs84gyhrlatestvk97ctp9897wp5dp60r9tj0b3cs84gyhrmcpvk97ctp9897wp5dp60r9tj0b3cs84gyhrpacketvk97ctp9897wp5dp60r9tj0b3cs84gyhrread-onlyvk97ctp9897wp5dp60r9tj0b3cs84gyhrshopflowvk97ctp9897wp5dp60r9tj0b3cs84gyhr
66downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Yifeng[Terry] Yu@xiaojiou176
distributionlatestmcppacketread-onlyshopflow
Download

Shopflow Read-only Packet

Teach the agent how to install, connect, and use Shopflow as a read-only packet surface.

Use this skill when

  • the user wants integration or submission-readiness truth without live store claims
  • the host can run Shopflow's local stdio MCP server
  • the operator wants a packet that explains install, capabilities, and proof in one folder

What this packet teaches

  • how to attach the current Shopflow MCP server
  • which packet-oriented capabilities are safe first
  • how to read submission readiness without flattening it into fake live claims
  • how to keep the OpenClaw-facing install shell truthful

Start here

  1. Read references/INSTALL.md
  2. Load the right host config from:
  3. Skim the capability map in references/CAPABILITIES.md
  4. Run the proof loop in references/DEMO.md
  5. If the packet or attach path fails, use references/TROUBLESHOOTING.md

Must not claim

  • canonical Shopflow repo status beyond the packet truth
  • official OpenClaw listing already live
  • official OpenClaw org integration already approved

Comments

Loading comments...