by 安全扫描
OpenClaw
安全
medium confidenceThe skill is an instruction-only Shopify setup guide and its requirements match its stated purpose, but provenance is weak and a surfaced npx install snippet could lead users to run external code — verify the source before running anything.
评估建议
This skill appears to be a read-only guide and is internally consistent, but take two precautions before using it: (1) provenance: the package's source and homepage are missing/unknown — avoid running the npx command in SKILL.md until you verify the 'nexscope/shopify-store-setup' package and the publisher (inspect the npm package contents / GitHub repo). (2) scope: if you want the agent to actually configure a Shopify store, you will need to create a Shopify API token with minimal required permi...详细分析 ▾
✓ 用途与能力
Name, description, and SKILL.md content all describe step-by-step Shopify setup guidance (plans, themes, products, payments, shipping, domain, launch). There are no declared credentials, binaries, or config paths that would be unexpected for a guidance-only skill.
✓ 指令范围
SKILL.md contains only guidance and example prompts; it does not instruct the agent to read local files, access system paths, or exfiltrate data. Some example prompts imply performing configuration actions (e.g., "Set up my shipping rates"), but the skill does not include instructions or env var requirements to perform API calls — it reads as advisory, not an automated integrator.
ℹ 安装机制
The skill itself has no install spec in the registry (instruction-only), which is low-risk. However, SKILL.md includes an 'Install' example that runs `npx skills add nexscope/shopify-store-setup`. That line points users to fetch and execute code from npm (nexscope). Because this is only documentation (not an automated install), it isn't executed by the platform, but it elevates risk if a user follows it without verifying the external package/source.
✓ 凭证需求
The skill declares no required environment variables, credentials, or config paths. For a guidance-only Shopify setup skill this is proportional. If a user expects the agent to perform real Shopify API operations, they should expect to provide a Shopify API key/token, which is not requested by this skill.
✓ 持久化与权限
always is false and model invocation is allowed (default). No install-time persistence or modifications to other skills/system settings are requested. Agent autonomy combined with no credentials is not problematic here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/2
Initial release — multi-platform e-commerce skill
● 无害
安装命令
点击复制官方npx clawhub@latest install shopify-store-setup
镜像加速npx clawhub@latest install shopify-store-setup --registry https://cn.longxiaskill.com 镜像可用