Skillv1.0.0

ClawScan security

productOptimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 4:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (bulk-optimizing BigCommerce product content); it asks for no unrelated credentials and performs only expected API calls and local progress tracking.
Guidance: What to consider before installing: 1) Code and instructions are coherent for a BigCommerce content optimizer, but the tool will perform write operations across products — test on a staging store or a small product subset first. 2) Provide a least-privilege API token (only Products read+write), and avoid running it against production until you confirm outputs. 3) The skill writes progress.json and page_*.json files in whatever directory you run it from; pick a dedicated workspace and back up current product data beforehand. 4) The SKILL.md suggests 'pip install --break-system-packages' — instead use a Python virtual environment (python -m venv) to avoid altering system packages. 5) If you want manual review between pages, do not follow the 'Do NOT stop between pages' instruction; run with a small --limit and manual update workflow until you are comfortable. 6) If you need higher assurance, review the remainder of the bc_optimizer.py file (the truncated portion) to confirm error handling and that no external endpoints beyond api.bigcommerce.com are used.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and the included Python script all focus on fetching products from BigCommerce, generating updated titles/descriptions, and pushing updates back using the provided store hash and API token. Required binary (python3) and the runtime dependency (requests) are appropriate and proportional.
Instruction Scope: noteInstructions are specific to the BigCommerce workflow (init, fetch, generate updates, push updates). They require CLI-provided store hash and API token and write progress.json and page_N_products.json/page_N_updates.json files in the current directory. One notable instruction is an explicit demand to 'Do NOT stop between pages' (process all pages continuously) which grants the agent broad autonomous action over the entire catalog — that is consistent with the skill's purpose but elevates operational risk if run against a live store without supervision. Also instructs users to run 'pip install requests --break-system-packages' which can be intrusive on system Python environments.
Install Mechanism: noteThere is no install spec — the skill is instruction-only plus a helper script. That keeps installer risk low. However the SKILL.md tells users to run pip install with the --break-system-packages flag; recommending that flag is unusual and can modify system package state on some Linux distributions. Recommend using a virtual environment instead of system-wide pip changes.
Credentials: okThe skill does not request unrelated environment variables or secrets. It requires a BigCommerce store hash and an API token with product read/write scope (passed as CLI arguments), which are exactly what the skill needs to operate.
Persistence & Privilege: notealways:false and normal agent invocation are used. The skill writes local files (progress.json, page_* files) to the current working directory; it does not request permanent platform-wide privileges or modify other skills. However, the explicit autonomous continuous-run requirement (process all pages without pausing) means a granted invocation could make large, irreversible changes to a store in one run — a functional capability but an operational risk to be acknowledged.