ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

myskill

v1.0.1

Provides daily Shopify sales summaries, low stock alerts, and competitor price tracking using your Shopify API key.

0· 127·0 current·0 all-time
byNubra Valley@jamod

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jamod/surfisup-ecom-monitor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "myskill" (jamod/surfisup-ecom-monitor) from ClawHub.
Skill page: https://clawhub.ai/jamod/surfisup-ecom-monitor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install surfisup-ecom-monitor

ClawHub CLI

Package manager switcher

npx clawhub@latest install surfisup-ecom-monitor
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (Shopify sales summaries, low-stock alerts, competitor price tracking) is reasonable, but the package metadata and manifest do not declare the credentials or services (Shopify API key, SMTP/Telegram tokens, competitor tracking endpoints) that would be needed. skill.json names the skill 'EcomMonitor' while the top-level name is 'myskill', and README/CHANGELOG claim 'no persistence' while SKILL.md explicitly says the agent 'Sets cron job'—these inconsistencies reduce confidence that requested capabilities align with what's required.
!
Instruction Scope
SKILL.md is very short and vague: it instructs the agent to fetch sales data, send reports, and set a cron job. It references sending alerts via Telegram/email and competitor price tracking but gives no concrete endpoints, no guidance on required tokens/SMTP config, and no constraints on what files or system state the agent may modify. The instruction 'Sets cron job' directs persistent system modification which is outside the stated 'no persistence' claim.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes risk from arbitrary binaries or downloads. The lack of an install step is consistent with being an instruction-only skill, though it shifts risk to whatever the agent runtime will do when following the instructions.
!
Credentials
The SKILL.md says 'Setup needed: Shopify API key' and mentions email/Telegram alerts, but the registry metadata shows no required environment variables or primary credential. For alerting and competitor tracking the agent would typically need additional credentials or configuration (SMTP credentials, TELEGRAM_BOT_TOKEN or webhook, competitor API keys). The absence of declared env vars is disproportionate and unexplained.
!
Persistence & Privilege
The README asserts 'No persistence' but SKILL.md's example flow includes 'Sets cron job' (creating scheduled, persistent behavior on the host). Even though always:false and autonomous invocation is normal, instructions that create cron jobs imply modifying system state and establishing persistence without declaring that requirement or asking for elevated permissions.
What to consider before installing
This skill contains several contradictions and vague instructions. Before installing or providing credentials: 1) Ask the author to clarify and update SKILL.md and metadata to explicitly list required environment variables (Shopify API key, SMTP/Telegram credentials, any competitor API keys) and explain exactly how alerts are sent. 2) Confirm whether the agent will write cron jobs or otherwise modify system crontab; if so, require explicit, auditable instructions and prefer using an external scheduler or a separate, dedicated automation service. 3) Only provide a read-only Shopify API token scoped to minimal data needed, and use dedicated, limited-purpose alert credentials (a throwaway SMTP account or a bot token with narrow scope). 4) Request details on how competitor tracking works (which domains/APIs are contacted) and ask for safeguards against scraping sensitive endpoints. 5) Do not grant broad or production credentials until the skill's behavior is fully specified and you have assurance it won't alter system files. If the author cannot satisfactorily update the documentation and manifest to remove these mismatches, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvktv8vn3nym93nwn06hmq983avzj
127downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Nubra Valley@jamod
latest
Download

EcomMonitor Skill

Triggers: "shopify monitor", "check sales", "stock alert"

What it does:

  • Daily Shopify sales summary (revenue, top products)
  • Low stock alerts (<10 units) via Telegram/email
  • Competitor price tracking

Setup needed: Shopify API key (user provides)

Example: User: "Monitor my Shopify store daily" → Agent: Fetches sales data → Sends report → Sets cron job

Comments

Loading comments...