← Back to Skills Marketplace

Store Onboarding

Name: Store Onboarding
Author: fengzie

by fengzie · GitHub ↗ · v0.2.0 · MIT-0

cross-platform ⚠ suspicious

129

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install mobazha-store-onboarding

Description

Complete the first-time setup wizard for a new Mobazha store. Use after deployment to configure admin password, store name, currencies, and profile.

Usage Guidance

This skill appears to implement a legitimate store onboarding flow, including setting an admin password and obtaining a bearer token. However, the skill metadata does NOT declare required credentials even though SKILL.md says credentials will be used — that's an inconsistency you should fix or confirm before using. Before installing or running: 1) Confirm the skill source and trustworthiness; 2) Only provide the admin password and bearer token interactively, never as persistent env vars or files; 3) Require the agent to ask for explicit consent and to confirm the target store URL (to avoid mis-targeting); 4) Test the flow on a non-production instance first; 5) Ask the publisher/maintainer to update registry metadata to declare the credential types (primary credential) so the platform can protect them. If you cannot verify the source or the metadata is not fixed, consider the skill suspicious and avoid using it for production stores.

Capability Analysis

Type: OpenClaw Skill Name: mobazha-store-onboarding Version: 0.2.0 The skill bundle provides legitimate documentation and API instructions for the first-time setup of a Mobazha store. It includes security-conscious instructions for the AI agent to handle credentials safely and provides standard administrative troubleshooting commands for local database resets in SKILL.md. No evidence of malicious intent, data exfiltration, or unauthorized access was found.

Capability Tags

cryptocan-make-purchasesrequires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The SKILL.md clearly describes setting an admin password and obtaining a Bearer token (sensitive operations appropriate for an onboarding skill). However, the registry metadata declares no primary credential and no required env vars/config paths. That mismatch is unexpected: a skill that handles admin credentials should declare that in its metadata so callers/platform can enforce protections.

ℹ Instruction Scope

The runtime instructions stay within the stated onboarding scope: checking /v1/system/setup, POSTing to /v1/system/setup to set the admin password, then using /platform/v1/auth/tokens and profile/settings/media endpoints. The doc explicitly requires explicit user consent before making API calls and warns not to store secrets. It does not instruct the agent to read unrelated files or system state. One place to watch: the instructions assume the agent or user supplies the correct store URL and do not prescribe hostname verification or ways to confirm the target is the intended store (a potential for mis-targeting/social-engineering).

✓ Install Mechanism

Instruction-only skill with no install spec and no code files. This minimizes disk-write/execution risk — the skill will only run the agent's normal networking/IO actions per the SKILL.md.

⚠ Credentials

The SKILL.md declares requires_credentials: true and enumerates 'Admin password' and 'Bearer token' as credential types, but the registry metadata lists no required env vars and no primary credential. That inconsistency means the platform cannot automatically protect or surface required secrets. The number and sensitivity of credentials (admin password / bearer token) are proportional to onboarding, but they should be declared in metadata so the agent/platform can handle them securely.

ℹ Persistence & Privilege

The skill is not always-enabled and has no install persistence. Autonomous invocation is allowed (platform default). Because this skill deals with sensitive credentials, autonomous runs combined with the metadata omission raise risk: ensure the agent will solicit explicit consent at runtime and will not persist or leak credentials. The SKILL.md does instruct not to store or log secrets.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install mobazha-store-onboarding
After installation, invoke the skill by name or use /mobazha-store-onboarding
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.2.0

Add credential declarations and consent notice for password setup

v0.1.0

Initial release

Metadata

Slug mobazha-store-onboarding

Version 0.2.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Store Onboarding?

Complete the first-time setup wizard for a new Mobazha store. Use after deployment to configure admin password, store name, currencies, and profile. It is an AI Agent Skill for Claude Code / OpenClaw, with 129 downloads so far.

How do I install Store Onboarding?

Run "/install mobazha-store-onboarding" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Store Onboarding free?

Yes, Store Onboarding is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Store Onboarding support?

Store Onboarding is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Store Onboarding?

It is built and maintained by fengzie (@fengzie); the current version is v0.2.0.

More Skills