ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopify Email Segmentation

Email list segmentation strategy for Shopify stores. Build customer segments, design automated flows, and create personalized campaigns using Klaviyo, MailCh...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 56 · 0 current installs · 0 all-time installs
by@mguozhen
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and the included analyze.sh both aim to generate an email segmentation strategy for Shopify stores — that is coherent. However, the manifest lists no required binaries while analyze.sh clearly depends on an 'openclaw' CLI and python3 (and a POSIX shell). The missing dependency declaration is an inconsistency: a user installing this skill would legitimately need those binaries.
Instruction Scope
The SKILL.md instructions themselves stay within the advertised scope (segments, flows, calendars, playbooks). The analyze.sh script takes arbitrary user input and injects it into a prompt that is passed to 'openclaw agent --local', then parses the agent's JSON output with python3. That means whatever text the user supplies is forwarded to the OpenClaw agent/process. There are no explicit steps that read unrelated local files or environment variables, and there are no HTTP endpoints called directly from the script, but the behavior depends on what the 'openclaw' CLI does (local-only vs network).
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or written to disk by an installer. The only code shipped is analyze.sh (already present in the skill). This is lower risk than an installer that fetches external archives, but the script requires runtime tools not declared in the manifest.
Credentials
The manifest requests no environment variables or credentials, which fits the skill's apparent purpose. However, analyze.sh delegates to an 'openclaw' agent — that agent may itself require credentials or forward data to remote models/services. Because the skill does not document those requirements, it's unclear whether secrets (API keys, model tokens) might be used or needed at runtime.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify system or other skill configs. It simply runs a script when invoked, so there are no elevated persistence or privilege indicators.
What to consider before installing
This skill appears to do what it says (generate Shopify email segmentation strategies), but review these points before installing or running it: - The included analyze.sh calls an 'openclaw' CLI and python3, yet the skill manifest lists no required binaries. Ensure you have and trust the 'openclaw' binary on your system and that python3 is available. - 'openclaw agent --local' may be a wrapper that sends data to remote services or requires API keys. Verify how your local OpenClaw agent is configured (does it run fully locally or proxy requests to a cloud model?), and avoid sending sensitive store/customer data until you confirm its behavior. - Run the script in a sandbox with non-sensitive sample input first to observe network activity and outputs. If you need to use real store data, sanitize or redact personally identifiable information. - Consider asking the skill author (or checking the repository) to explicitly declare required binaries and document whether the 'openclaw' invocation is local-only or networked, and to remove or clarify any external telemetry/endpoints. Given the manifest/script mismatch and the delegation to an agent process of unknown network behavior, treat this skill with caution (hence 'suspicious') rather than outright malicious; the inconsistency could be sloppy packaging but could also hide unintended data flows.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976n5vakjv3smz15jkrkks5nh83c5rp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Shopify Email Segmentation

Build a high-converting email marketing system with smart segmentation for your Shopify store.

Usage

email segmentation: pet accessories store 5,000 subscribers
Klaviyo: set up segments for fashion brand
email marketing: build flows for new Shopify store
email automation: $200K/year store improve retention

What You Get

  1. Segment Architecture — 10 core segments every Shopify store needs
  2. RFM Analysis Framework — Recency, Frequency, Monetary scoring model
  3. Automated Flow Map — 8 essential Klaviyo/MailChimp flows
  4. Campaign Calendar — 12-month email calendar by segment
  5. Subject Line Playbook — formulas by segment type
  6. Revenue Attribution — expected % of revenue from email
  7. A/B Testing Roadmap — what to test first and how

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…