by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's declared purpose (generate commerce images, product data, and optional Shopify/WooCommerce publishing) matches most of the code and instructions, but there are notable inconsistencies in the registry metadata, install specification, and packaging that merit caution before enabling it or supplying credentials.
评估建议
This skill appears to implement what it claims (image generation + product-data + optional Shopify/WooCommerce export), but there are packaging and metadata inconsistencies you should address before installing or providing secrets. Steps to reduce risk:
- Verify the source repository (SKILL.md points to https://github.com/GEO-SEO/geo-visual-opportunity-engine). Inspect that repo and confirm the code there matches the packaged files and is from a trusted author.
- Review src/shopify.py and src/w...详细分析 ▾
ℹ 用途与能力
The SKILL.md, manifest.json, README, and the src/ modules all describe an e‑commerce asset pipeline (GEO analysis, Nano Banana/Gemini image generation, and optional Shopify/WooCommerce export). Those required credentials (GOOGLE_API_KEY, SHOPIFY_*, WOOCOMMERCE_*) are coherent with that purpose. However, the top-level registry metadata you provided lists 'Required env vars: none' and 'Required binaries: none' while SKILL.md and code clearly expect python3 and several env vars — this mismatch is a packaging/metadata inconsistency that reduces trust.
ℹ 指令范围
SKILL.md instructs the skill to call Google AI Studio (Nano Banana/Gemini) and optionally publish to Shopify/WooCommerce only when credentials and explicit publish flags are provided; it also instructs saving images to local storage. The instructions do not request unrelated system files or broad context collection. The policy to refuse platform publishing unless explicitly enabled is a good safeguard, but the agent instructions and codebase together can perform network calls and write files — review shopify.py/woocommerce.py for exact API behavior before providing store credentials.
⚠ 安装机制
There is no formal install spec in the registry, but the repo includes a requirements.txt and SKILL.md contains a pip install instruction. The absence of an automated install hook alongside a non-trivial Python codebase is an inconsistency (the skill is not truly instruction‑only). Dependencies include new google-genai / google-generativeai packages (PyPI) which are expected for Gemini integration but should be vetted for provenance. Overall install behavior is moderate risk because code will be installed/executed locally if you follow SKILL.md.
ℹ 凭证需求
Requested environment variables (GOOGLE_API_KEY for image generation; optional Shopify/WooCommerce credentials for publishing) are proportionate to the stated functionality. The main issue is that registry metadata claims no required env vars while SKILL.md and manifest declare several — this mismatch could cause accidental credential exposure if a user trusts the registry summary instead of reading SKILL.md. If you provide store credentials, ensure they are scoped/minimized and only provided when you explicitly enable publish actions.
✓ 持久化与权限
The skill does not request always:true and does not declare any agent-level persistent privileges. It can write generated images and export packages to local storage and will perform network requests to image and store APIs when enabled. This is expected for its purpose; combine with least-privilege credentials and explicit opt-in for publishing.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv3.0.52026/3/2
Shift public package to export-first positioning and reduce direct platform-write signals
● 无害
安装命令
点击复制官方npx clawhub@latest install geo-visual-opportunity-engine
镜像加速npx clawhub@latest install geo-visual-opportunity-engine --registry https://cn.longxiaskill.com