Back to plugin
Pluginv1.5.11
ClawScan security
CLISHOP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 6, 2026, 12:17 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a real shopping service and includes a bundled Node runtime that will be executed locally, but the runtime+instructions give reason for caution (prompt‑injection signal in SKILL.md, local keychain/file storage, and a large executable bundle that will run on your machine).
- Guidance
- This bundle looks like a legitimate shopping skill but includes a bundled Node runtime that will be executed locally and will store session tokens in your OS keychain or local files. Before installing: 1) Review dist/mcp.cjs (the bundled runtime) or run it in a sandboxed environment to confirm there are no unexpected network endpoints or filesystem accesses. 2) Be cautious about granting the agent network or filesystem access; limit agent spending/auto-purchase settings and require human confirmation for purchases. 3) Do not share raw card details in chat; follow the skill’s web-based payment flow. 4) The SKILL.md contained a prompt-injection pattern—treat instructions that ask the agent to 'use the setup tool with the user's email' as potentially ambiguous and verify what data is actually sent during setup. 5) If you lack the ability to audit the bundled code, prefer running this in an isolated environment or decline installation.
- Findings
[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. A shopping skill legitimately needs runtime and setup instructions, but system-prompt override patterns are not expected and could attempt to manipulate agent behavior.
Review Dimensions
- Purpose & Capability
- okName/description, MCP config (.mcp.json), SKILL.md instructions, and the included dist/mcp.cjs are internally consistent: a shopping skill that launches a local MCP Node runtime to expose clishop__* commands is expected for this functionality.
- Instruction Scope
- concernSKILL.md instructs running a local Node MCP runtime (node ./dist/mcp.cjs) and using a 'setup' tool with the user's email; it explicitly states tokens are stored in OS keychain or local files. The pre-scan flagged a 'system-prompt-override' pattern in SKILL.md (prompt-injection signal). The instructions also tell agents to handle payment flows via web links (good), but the SKILL.md contains ambiguous guidance that could cause the agent to solicit or handle sensitive data if misused.
- Install Mechanism
- noteThere is no external install spec (no downloads during install), but the bundle includes a large (~1.7MB) dist/mcp.cjs Node program that OpenClaw will be configured to run locally. Bundled code executed on the user's machine is a higher-risk surface than instruction-only skills, even if there are no external downloads.
- Credentials
- concernThe skill declares no required env vars, but the runtime will store session tokens in the OS keychain or fall back to local file storage and will handle addresses/payment flows. Access to the OS keychain and filesystem is sensitive; the manifest does not declare or document exact storage locations or any required system permissions, which reduces transparency.
- Persistence & Privilege
- notealways:false (not force-included). The bundle configures a persistent local MCP server process (node ./dist/mcp.cjs) which will run while the agent uses the skill. Autonomous invocation is allowed (normal). Running a persistent local server increases attack surface compared with ephemeral instruction-only skills.