Skill Dropshipping Product Launcher

Creates WooCommerce draft product listings with images, variants, and margin calculation from CJ Dropshipping products using product ID and sell price.

This skill appears to do what it says (fetch CJ product data and create a WooCommerce draft), but be aware of several practical and privacy/security points before installing: - Transparency mismatch: The registry entry claims no required credentials or config paths, yet the code reads ~/cj-api.json and ~/woo-api.json (or CJ_API_PATH/WOO_API_PATH). Verify and supply only credentials for the store you control. - Files modified: The skill will update ~/cj-api.json with refreshed access tokens and creates /tmp/product-images/<product_id>/ files. If you do not want files changed in your home directory, run it in a controlled environment or adjust CJ_API_PATH/WOO_API_PATH to point to secure locations. - Default store indicators: config/internal.md and example outputs reference tech1mart.com. Check that the woo-api.json.url points to your intended WordPress site — otherwise the script could target someone else’s store if misconfigured. - Least privilege: Use WooCommerce API keys with the minimum required permissions (ideally product/media write scoped) and do not supply broader admin secrets. - Test in dry-run first: Use --dry-run to confirm fetched product data and image handling without making writes to WooCommerce. - Audit credentials: Inspect the two config files before and after a run to ensure only expected fields are present and the token refresh behavior is acceptable. If you need higher assurance, ask the publisher to update the registry metadata to explicitly list required config paths and env vars (CJ_API_PATH, WOO_API_PATH and the expected JSON schemas), or review the code yourself. If you cannot verify the target WooCommerce URL or the origin of the package, run it in an isolated VM/container and supply throwaway credentials while testing.

Type: OpenClaw Skill Name: skill-dropshipping-product-launcher Version: 1.0.0 The skill appears to be designed for its stated purpose of dropshipping product listing. However, it exhibits potential vulnerabilities that classify it as 'suspicious'. Specifically, the `downloadImage` function in `scripts/launch.js` downloads images from URLs provided by the CJ Dropshipping API, which could pose an SSRF risk if a compromised CJ API were to supply malicious internal network URLs. Additionally, the `category` argument in `scripts/woo-create.js` is passed directly to a WooCommerce API search parameter, which could be a vector for injection depending on the WooCommerce backend's sanitization.