by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions match a Shopify SEO advisory tool, but metadata and install guidance are inconsistent and the SKILL.md directs users to run an npx install from an external package (nexscope) without that package or source being declared in the registry — verify before installing or granting access.
评估建议
This skill appears to be an advice-only Shopify SEO guide, but there are two red flags to check before installing or following its 'npx' instruction: (1) the registry metadata lists no source or homepage, yet SKILL.md points to Nexscope and an npm-style install (nexscope/shopify-seo). Verify the package exists on npm and the publisher is legitimate (check npm/GitHub repository, read the package code and recent release history). (2) Never run npx or install packages you haven't inspected — npx ex...详细分析 ▾
ℹ 用途与能力
The skill's name and content describe Shopify SEO audits and recommendations and do not request unrelated capabilities. However, the SKILL.md claims a vendor (Nexscope) and provides an npx install command not reflected in the registry metadata (source: unknown, homepage: none), which is an inconsistency worth verifying.
✓ 指令范围
Runtime instructions are purely advisory (how to use the skill and what outputs to produce) and do not instruct the agent to read local files, environment variables, or to transmit data to unexpected endpoints. The scope aligns with a guidance-only SEO skill.
⚠ 安装机制
Although the registry lists no install spec (instruction-only), SKILL.md contains an explicit 'npx skills add nexscope/shopify-seo' command that would download and run code from npm. That external install source is not declared in the registry metadata and could fetch arbitrary code — treat the npx instruction as an external-code risk until you verify the package and publisher.
✓ 凭证需求
The skill declares no required environment variables, credentials, or config paths. For an advisory SEO skill this is proportionate; be cautious if the agent later asks for Shopify admin API keys or other secrets, which are not currently declared.
✓ 持久化与权限
The skill does not request always:true and uses default invocation settings. There is no indication it attempts to modify other skills or system-wide configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/1
Initial release — multi-platform e-commerce skill
● 无害
安装命令
点击复制官方npx clawhub@latest install shopify-seo
镜像加速npx clawhub@latest install shopify-seo --registry https://cn.longxiaskill.com