← Back to Skills Marketplace
413
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install skill-dropshipping-product-launcher
Description
Creates WooCommerce draft product listings with images, variants, and margin calculation from CJ Dropshipping products using product ID and sell price.
Usage Guidance
This skill appears to do what it says (fetch CJ product data and create a WooCommerce draft), but be aware of several practical and privacy/security points before installing:
- Transparency mismatch: The registry entry claims no required credentials or config paths, yet the code reads ~/cj-api.json and ~/woo-api.json (or CJ_API_PATH/WOO_API_PATH). Verify and supply only credentials for the store you control.
- Files modified: The skill will update ~/cj-api.json with refreshed access tokens and creates /tmp/product-images/<product_id>/ files. If you do not want files changed in your home directory, run it in a controlled environment or adjust CJ_API_PATH/WOO_API_PATH to point to secure locations.
- Default store indicators: config/internal.md and example outputs reference tech1mart.com. Check that the woo-api.json.url points to your intended WordPress site — otherwise the script could target someone else’s store if misconfigured.
- Least privilege: Use WooCommerce API keys with the minimum required permissions (ideally product/media write scoped) and do not supply broader admin secrets.
- Test in dry-run first: Use --dry-run to confirm fetched product data and image handling without making writes to WooCommerce.
- Audit credentials: Inspect the two config files before and after a run to ensure only expected fields are present and the token refresh behavior is acceptable.
If you need higher assurance, ask the publisher to update the registry metadata to explicitly list required config paths and env vars (CJ_API_PATH, WOO_API_PATH and the expected JSON schemas), or review the code yourself. If you cannot verify the target WooCommerce URL or the origin of the package, run it in an isolated VM/container and supply throwaway credentials while testing.
Capability Analysis
Type: OpenClaw Skill
Name: skill-dropshipping-product-launcher
Version: 1.0.0
The skill appears to be designed for its stated purpose of dropshipping product listing. However, it exhibits potential vulnerabilities that classify it as 'suspicious'. Specifically, the `downloadImage` function in `scripts/launch.js` downloads images from URLs provided by the CJ Dropshipping API, which could pose an SSRF risk if a compromised CJ API were to supply malicious internal network URLs. Additionally, the `category` argument in `scripts/woo-create.js` is passed directly to a WooCommerce API search parameter, which could be a vector for injection depending on the WooCommerce backend's sanitization.
Capability Assessment
Purpose & Capability
Overall capability aligns with the name/description: scripts fetch CJ product data, download images, upload to a WordPress/WooCommerce site, calculate margin, and create a draft product. However, the registry metadata claimed no required config paths or credentials while SKILL.md and the code require CJ and WooCommerce credential files (~/cj-api.json and ~/woo-api.json) or the equivalent env vars (CJ_API_PATH, WOO_API_PATH). That mismatch reduces transparency and is unexpected.
Instruction Scope
Runtime instructions and code read credential JSON files from the user's home directory and will write back an access token to ~/cj-api.json (cj-fetch.js updates tokenExpiry/accessToken). The skill also downloads images into /tmp/product-images/<product_id>/ and uploads them to the configured WooCommerce site, creates categories, and writes products/variations via the Woo REST API. These I/O actions are consistent with the stated purpose but are potentially impactful (modifies files in your home dir and remote store). The SKILL.md did document the files, but the registry metadata did not — a scope/transparency issue.
Install Mechanism
This is an instruction+code skill with normal npm dependencies (axios, form-data). There is no remote archive download or obscure install host. package-lock.json is present and dependencies resolve from the public npm registry; installing via npm is the expected way and proportional to the task.
Credentials
The skill requires sensitive credentials (CJ API keys and WooCommerce consumerKey/consumerSecret) supplied via files (~/cj-api.json, ~/woo-api.json) or override env vars (CJ_API_PATH, WOO_API_PATH). The registry metadata listed no required env vars/config paths, which is inconsistent and misleading. config/internal.md also references an 'Active store: tech1mart.com' (default base URL), suggesting the repo may be preconfigured for a specific store — verify that your credentials and URLs are pointed to the store you intend. The skill will store refreshed access tokens back to ~/cj-api.json (credential file modification).
Persistence & Privilege
The skill does not request permanent platform presence (always: false) and does not modify other skills or system-wide agent settings. Its only persistent effect on the host is writing/updating the CJ credential file (token refresh) and writing temporary image files to /tmp; these are within the skill's functional scope but should be noted.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-dropshipping-product-launcher - After installation, invoke the skill by name or use
/skill-dropshipping-product-launcher - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Launch CJ Dropshipping products as WooCommerce draft listings in one command.
- Fetches product and variant data from CJ Dropshipping APIs
- Downloads and uploads product images to your WordPress media library
- Calculates profit margin and warns if margin is below 30%
- Creates WooCommerce draft products (with variants if available) and outputs relevant URLs
- Supports preview mode (dry-run) and custom categories
- Outputs a structured JSON summary for downstream automation
Metadata
Frequently Asked Questions
What is Skill Dropshipping Product Launcher?
Creates WooCommerce draft product listings with images, variants, and margin calculation from CJ Dropshipping products using product ID and sell price. It is an AI Agent Skill for Claude Code / OpenClaw, with 413 downloads so far.
How do I install Skill Dropshipping Product Launcher?
Run "/install skill-dropshipping-product-launcher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Dropshipping Product Launcher free?
Yes, Skill Dropshipping Product Launcher is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Skill Dropshipping Product Launcher support?
Skill Dropshipping Product Launcher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Dropshipping Product Launcher?
It is built and maintained by Zero2Ai (@zero2ai-hub); the current version is v1.0.0.
More Skills