ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

amazon-to-shopify-sync

v1.0.0

Extract multilingual product data from Amazon and sync it to Shopify with automatic token renewal and English content rewriting via REST Admin API.

0· 725·0 current·0 all-time
byWalyn@walynlee
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description say 'extract from Amazon and sync to Shopify' and to manage credentials via environment/scripts, but the code hardcodes CLIENT_ID and CLIENT_SECRET. The SKILL.md references two domains (dinoho.myshopify.com and dinoho.cn) which is unexplained. The script provides mapping and a token request but no Amazon scraping/fetching logic and no actual POST to the Shopify products API — several pieces needed for the stated purpose are missing or inconsistent.
!
Instruction Scope
SKILL.md instructs automatic token renewal and triggering on a provided Amazon URL, but the included script does not implement Amazon extraction and instead contains static product data/templates. The instructions ask for client_credentials grant usage (before every sync) — this OAuth flow is uncommon for Shopify and is not justified in the docs. The mismatch between the prose (manage keys in env) and actual code (hardcoded secrets) is a scope and trust concern.
Install Mechanism
No install spec is provided (instruction-only with one script), so there is low install-time risk (nothing is downloaded or auto-executed beyond the included files). However, the contained script executes network calls (requests.post) and includes a secret; lack of an install step does not mitigate the hardcoded-credential risk.
!
Credentials
Registry metadata declares no required env vars/credentials, yet the code contains a 32-char CLIENT_ID and a 'shpss_' secret-looking CLIENT_SECRET embedded in scripts/sync.py. That contradicts the declared requirements and is disproportionate: a syncing skill should request credentials for the target store (and ideally via env vars), not hardcode them. The presence of a plausible Shopify secret in source is a high-risk red flag.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide changes or modify other skills. It does perform network operations but does not request elevated platform persistence in its metadata.
What to consider before installing
Do not install or run this skill as-is. Key issues: (1) the script contains hardcoded Shopify credentials (CLIENT_ID and CLIENT_SECRET) — this is sensitive and unexpected given the skill declares no required env vars; (2) SKILL.md and code are inconsistent (claims to extract from Amazon but the script lacks scraping/fetch logic and contains static product text); (3) the OAuth flow used (client_credentials) and the presence of two domains (dinoho.myshopify.com and dinoho.cn) are unexplained. Before using: ask the publisher to remove embedded secrets and declare required environment variables; require that auth use a documented, secure OAuth flow and that credentials belong to you; verify which domain/store the skill will access; review and test in a sandbox store; rotate any exposed credentials that might be real. If you need this functionality, prefer a version that accepts credentials via environment/config and clearly documents its Amazon scraping and Shopify API calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk972syrz04g7adz379cdf61bps82cdnc
725downloads
0stars
1versions
Updated 2h ago
v1.0.0
MIT-0
Walyn@walynlee
latest
Download

Amazon to Shopify Sync Skill 🦞

Description

Extract product data from Amazon (multilingual) and synchronize it directly to Shopify via REST Admin API with automatic token renewal.

Core Logic

  • Automatic Token Renewal: Triggers client_credentials grant before every sync to bypass the 24h token expiry.
  • Multilingual Support: Extracted French content is rewritten into high-conversion English Body HTML.
  • API Mapping: Targets dinoho.myshopify.com for authentication and dinoho.cn for store data.

Configuration

  • Grant URL: https://dinoho.myshopify.com/admin/oauth/access_token
  • Product API: https://dinoho.myshopify.com/admin/api/2024-01/products.json
  • Keys: Client ID (32-char) & Secret Key (Managed in environment/scripts).

Usage

Trigger this skill when the user provides an Amazon URL (e.g. Amazon.fr, .de, .uk) for automated Shopify listing.

Comments

Loading comments...