← Back to Skills Marketplace
493
Downloads
0
Stars
2
Active Installs
3
Versions
Install in OpenClaw
/install skill-dropshipping-sourcing
Description
Query CJ Dropshipping API v2.0 to source products and fetch details for catalog building. Use for CJ keyword search, pulling product records (SPU/SKU, images...
Usage Guidance
This skill appears to do what it claims (query CJ Dropshipping), but before installing or running it: (1) Ensure you have Node and the axios package installed — the skill doesn't install dependencies itself. (2) Create a dedicated cj-api.json in a safe, isolated directory containing your CJ apiKey (and optionally accessToken/tokenExpiry); keep that file private. (3) Do not set CJ_API_PATH to sensitive system files — the scripts will read and overwrite whatever path that variable points to. (4) Run the token refresh and search commands in a non-privileged account/folder to avoid accidental file overwrites. (5) If you want to be stricter, add a minimal package.json and explicit install steps (npm install axios) or sandbox execution. If you need greater assurance, ask the publisher for a package.json and an explicit list of runtime requirements, or review the code locally before running.
Capability Analysis
Type: OpenClaw Skill
Name: skill-dropshipping-sourcing
Version: 1.0.2
The skill is classified as suspicious due to a path traversal vulnerability in `scripts/source.js`. The script uses the `--out` argument directly in `fs.writeFileSync(args.out, ...)`, which could allow an attacker or a prompt-injected agent to write to arbitrary file paths (e.g., `../../etc/passwd`) instead of the intended local output file. While the overall intent of the skill (CJ Dropshipping API interaction) appears benign, this vulnerability presents a significant risk of unauthorized file modification.
Capability Assessment
Purpose & Capability
The name/description match the code: both token.js and source.js call CJ API endpoints and produce normalized output for catalog building. However the skill metadata declares no required binaries or credentials while the runtime expects a local config file (./cj-api.json) containing an apiKey and accessToken. That mismatch (no declared runtime requirements but Node scripts that need Node and axios and a local API key) is a documentation/packaging inconsistency.
Instruction Scope
SKILL.md instructs running token.js and source.js and references ./cj-api.json only. The scripts only read/write that config and make requests to CJ's API, which is in-scope. However both scripts accept CJ_API_PATH via environment to override the config file location, which allows reading/writing an arbitrary filesystem path if an attacker or misconfiguration sets that variable. The instructions don't warn about this or restrict the path.
Install Mechanism
There is no install spec; the skill is instruction-only but includes Node scripts that require a Node runtime and the axios package. The registry metadata lists no required binaries/dependencies. Users must ensure Node and the axios dependency are present; without a package.json or install instructions this is a packaging omission that can lead to surprises or mismatched environments.
Credentials
The skill does not request unrelated credentials. It expects an apiKey in a local JSON file and will store accessToken/tokenExpiry back to that file — which is proportionate for a CJ API integration. The only environment variable the code looks at is CJ_API_PATH (to override config path), which is not declared in the metadata; this should be documented and treated cautiously because it can redirect the skill to arbitrary files.
Persistence & Privilege
The skill persists credentials (accessToken and tokenExpiry) to cj-api.json and will overwrite whatever path CJ_API_PATH points to. While writing its own config is expected, the ability to write an arbitrary file path (via CJ_API_PATH) increases risk of accidental or malicious overwriting of sensitive files. The skill does not request 'always' or elevated platform privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-dropshipping-sourcing - After installation, invoke the skill by name or use
/skill-dropshipping-sourcing - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- No changes detected in this version.
- Documentation and functionality remain the same as the previous release.
v1.0.1
- Updated file paths for configuration and scripts to be relative to the current directory.
- Script usage now references `./cj-api.json` and simplified `scripts/` paths.
- Documentation in SKILL.md is clearer and matches updated usage conventions.
v1.0.0
- Initial release of the skill for sourcing CJ Dropshipping product data via API v2.0.
- Supports keyword-based product search, pulling product details (SPU/SKU, images, categories, variants/colors).
- Provides CLI tools for refreshing access tokens and fetching product lists with normalized JSON output.
- Aims to streamline dropshipping catalog automation with reliable, up-to-date CJ product info.
Metadata
Frequently Asked Questions
What is Skill Dropshipping Sourcing?
Query CJ Dropshipping API v2.0 to source products and fetch details for catalog building. Use for CJ keyword search, pulling product records (SPU/SKU, images... It is an AI Agent Skill for Claude Code / OpenClaw, with 493 downloads so far.
How do I install Skill Dropshipping Sourcing?
Run "/install skill-dropshipping-sourcing" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Dropshipping Sourcing free?
Yes, Skill Dropshipping Sourcing is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Skill Dropshipping Sourcing support?
Skill Dropshipping Sourcing is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Dropshipping Sourcing?
It is built and maintained by Zero2Ai (@zero2ai-hub); the current version is v1.0.2.
More Skills