← 返回 Skills 市场

amazon-to-shopify-sync

Name: amazon-to-shopify-sync
Author: walynlee

作者 Walyn · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

817

总下载

当前安装

版本数

在 OpenClaw 中安装

/install amazon-to-shopify-sync

功能描述

Extract multilingual product data from Amazon and sync it to Shopify with automatic token renewal and English content rewriting via REST Admin API.

使用说明 (SKILL.md)

Amazon to Shopify Sync Skill 🦞

Description

Extract product data from Amazon (multilingual) and synchronize it directly to Shopify via REST Admin API with automatic token renewal.

Core Logic

Automatic Token Renewal: Triggers client_credentials grant before every sync to bypass the 24h token expiry.
Multilingual Support: Extracted French content is rewritten into high-conversion English Body HTML.
API Mapping: Targets dinoho.myshopify.com for authentication and dinoho.cn for store data.

Configuration

Grant URL: https://dinoho.myshopify.com/admin/oauth/access_token
Product API: https://dinoho.myshopify.com/admin/api/2024-01/products.json
Keys: Client ID (32-char) & Secret Key (Managed in environment/scripts).

Usage

Trigger this skill when the user provides an Amazon URL (e.g. Amazon.fr, .de, .uk) for automated Shopify listing.

安全使用建议

Do not install or run this skill as-is. Key issues: (1) the script contains hardcoded Shopify credentials (CLIENT_ID and CLIENT_SECRET) — this is sensitive and unexpected given the skill declares no required env vars; (2) SKILL.md and code are inconsistent (claims to extract from Amazon but the script lacks scraping/fetch logic and contains static product text); (3) the OAuth flow used (client_credentials) and the presence of two domains (dinoho.myshopify.com and dinoho.cn) are unexplained. Before using: ask the publisher to remove embedded secrets and declare required environment variables; require that auth use a documented, secure OAuth flow and that credentials belong to you; verify which domain/store the skill will access; review and test in a sandbox store; rotate any exposed credentials that might be real. If you need this functionality, prefer a version that accepts credentials via environment/config and clearly documents its Amazon scraping and Shopify API calls.

功能分析

Type: OpenClaw Skill Name: amazon-to-shopify-sync Version: 1.0.0 The skill bundle contains hardcoded Shopify API credentials (CLIENT_ID and CLIENT_SECRET) within `scripts/sync.py`, which is a significant security vulnerability. The logic is also hardcoded to interact with a specific store domain (`dinoho.myshopify.com`) and uses static product data rather than dynamic extraction, which is inconsistent with its stated purpose of being a general Amazon-to-Shopify sync tool. While there is no clear evidence of intentional data exfiltration from the user, the exposure of sensitive keys and the highly specific, non-functional sync logic are suspicious.

能力评估

⚠ Purpose & Capability

The name/description say 'extract from Amazon and sync to Shopify' and to manage credentials via environment/scripts, but the code hardcodes CLIENT_ID and CLIENT_SECRET. The SKILL.md references two domains (dinoho.myshopify.com and dinoho.cn) which is unexplained. The script provides mapping and a token request but no Amazon scraping/fetching logic and no actual POST to the Shopify products API — several pieces needed for the stated purpose are missing or inconsistent.

⚠ Instruction Scope

SKILL.md instructs automatic token renewal and triggering on a provided Amazon URL, but the included script does not implement Amazon extraction and instead contains static product data/templates. The instructions ask for client_credentials grant usage (before every sync) — this OAuth flow is uncommon for Shopify and is not justified in the docs. The mismatch between the prose (manage keys in env) and actual code (hardcoded secrets) is a scope and trust concern.

✓ Install Mechanism

No install spec is provided (instruction-only with one script), so there is low install-time risk (nothing is downloaded or auto-executed beyond the included files). However, the contained script executes network calls (requests.post) and includes a secret; lack of an install step does not mitigate the hardcoded-credential risk.

⚠ Credentials

Registry metadata declares no required env vars/credentials, yet the code contains a 32-char CLIENT_ID and a 'shpss_' secret-looking CLIENT_SECRET embedded in scripts/sync.py. That contradicts the declared requirements and is disproportionate: a syncing skill should request credentials for the target store (and ideally via env vars), not hardcode them. The presence of a plausible Shopify secret in source is a high-risk red flag.

✓ Persistence & Privilege

The skill is not marked always:true and does not request system-wide changes or modify other skills. It does perform network operations but does not request elevated platform persistence in its metadata.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install amazon-to-shopify-sync
安装完成后，直接呼叫该 Skill 的名称或使用 /amazon-to-shopify-sync 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

amazon-to-shopify-sync 1.0.0 - Initial release. - Extracts product data from Amazon (supports multiple languages). - Auto-rewrites French content into high-conversion English for Shopify listings. - Syncs products to Shopify using REST Admin API with automatic token renewal. - Designed to work with dinoho.myshopify.com authentication and dinoho.cn data endpoints.

元数据

Slug amazon-to-shopify-sync

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题