← Back to Skills Marketplace
WPClaw Lite (WordPress/WooCommerce connector)
by
magnum-opus-v1
· GitHub ↗
· v1.0.0
1935
Downloads
1
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install wpclaw-lite
Description
Connects to a WooCommerce store via the WPClaw Connector plugin to fetch orders and products.
Usage Guidance
This skill's behavior is consistent with a WooCommerce connector, but the package metadata omitted the environment variables that the code actually requires. Before installing: (1) Confirm the publisher and that the WordPress plugin (WPClaw Connector) on your store is genuine and audited; (2) only provide the WPCLAW_STORE_SECRET to trusted code and consider using a least-privilege/test store or rotated key for evaluation; (3) verify transport is HTTPS for WPCLAW_STORE_URL and that the plugin expects HMAC signatures as implemented; (4) ask the publisher to correct the registry metadata so required credentials are declared; (5) review the WP plugin server-side code (or test in staging) to ensure no unexpected endpoints or behaviors; and (6) run npm install in an isolated environment and inspect node_modules if you plan to execute the skill locally. The current inconsistencies suggest a packaging error or sloppy release process rather than clear malicious intent, but treat the store secret as sensitive until you validate the whole stack.
Capability Analysis
Type: OpenClaw Skill
Name: wpclaw-lite
Version: 1.0.0
The skill is designed to connect to a WooCommerce store using provided environment variables (`WPCLAW_STORE_URL`, `WPCLAW_STORE_SECRET`). The `scripts/index.js` file uses `axios` to make authenticated HTTP requests to the specified store URL, employing HMAC-SHA256 signing with the secret key for security. There is no evidence of data exfiltration beyond the stated purpose, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` or `README.md`. All dependencies (`axios`) are legitimate, and the code's functionality aligns directly with its description.
Capability Assessment
Purpose & Capability
The skill name, README, SKILL.md, and scripts/index.js all describe a WooCommerce/WPClaw connector and the code implements exactly that (endpoints under /wp-json/wpclaw/v1, order/product lookup, and a status check). This is coherent with the declared purpose. However, registry metadata listed no required environment variables while both SKILL.md and the code require WPCLAW_STORE_URL and WPCLAW_STORE_SECRET, which is an inconsistency in packaging/metadata that should be resolved.
Instruction Scope
SKILL.md instructs only actions related to the connector (check_order, find_product, store_status). The code uses only the declared env vars and does not read other system files or unrelated credentials. One implementation detail: SKILL.md and README claim requests are HMAC-SHA256-signed; the code signs POST requests with X-WPClaw-Signature but performs an unsigned GET for the store_status endpoint — this may be intentional (public status endpoint) or an oversight. No instructions ask the agent to collect unrelated system data.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package includes package.json and README guidance to run npm install (axios dependency). That is a normal, low-to-moderate risk install pattern. No external, unusual download URLs or extract/install steps are present in the skill bundle.
Credentials
The code and SKILL.md require two environment variables (WPCLAW_STORE_URL and WPCLAW_STORE_SECRET) — this is appropriate for the purpose. However, the registry metadata declares no required env vars and no primary credential, creating a proportionality/packaging mismatch. The store secret is sensitive (it grants API access to the store) and the skill requests it; the registry should have declared this. Verify why the metadata omitted these requirements before provisioning secrets.
Persistence & Privilege
The skill is user-invocable, not always-included, and does not request elevated persistence or modify other skills/config. It doesn't persist additional credentials itself or request system-wide config changes. Autonomous invocation is allowed (platform default); nothing in the skill elevates privilege beyond normal operation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wpclaw-lite - After installation, invoke the skill by name or use
/wpclaw-lite - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
wpclaw-lite 1.0.0
- Initial release as "WPClaw Connector" skill.
- Connects to WooCommerce stores via the WPClaw Connector plugin.
- Supports fetching order details, searching for products, and checking store connection status.
- Requires `WPCLAW_STORE_URL` and `WPCLAW_STORE_SECRET` environment variables for configuration.
Metadata
Frequently Asked Questions
What is WPClaw Lite (WordPress/WooCommerce connector)?
Connects to a WooCommerce store via the WPClaw Connector plugin to fetch orders and products. It is an AI Agent Skill for Claude Code / OpenClaw, with 1935 downloads so far.
How do I install WPClaw Lite (WordPress/WooCommerce connector)?
Run "/install wpclaw-lite" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is WPClaw Lite (WordPress/WooCommerce connector) free?
Yes, WPClaw Lite (WordPress/WooCommerce connector) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does WPClaw Lite (WordPress/WooCommerce connector) support?
WPClaw Lite (WordPress/WooCommerce connector) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created WPClaw Lite (WordPress/WooCommerce connector)?
It is built and maintained by magnum-opus-v1 (@magnum-opus-v1); the current version is v1.0.0.
More Skills