← 返回 Skills 市场
493
总下载
0
收藏
2
当前安装
3
版本数
在 OpenClaw 中安装
/install skill-dropshipping-sourcing
功能描述
Query CJ Dropshipping API v2.0 to source products and fetch details for catalog building. Use for CJ keyword search, pulling product records (SPU/SKU, images...
安全使用建议
This skill appears to do what it claims (query CJ Dropshipping), but before installing or running it: (1) Ensure you have Node and the axios package installed — the skill doesn't install dependencies itself. (2) Create a dedicated cj-api.json in a safe, isolated directory containing your CJ apiKey (and optionally accessToken/tokenExpiry); keep that file private. (3) Do not set CJ_API_PATH to sensitive system files — the scripts will read and overwrite whatever path that variable points to. (4) Run the token refresh and search commands in a non-privileged account/folder to avoid accidental file overwrites. (5) If you want to be stricter, add a minimal package.json and explicit install steps (npm install axios) or sandbox execution. If you need greater assurance, ask the publisher for a package.json and an explicit list of runtime requirements, or review the code locally before running.
功能分析
Type: OpenClaw Skill
Name: skill-dropshipping-sourcing
Version: 1.0.2
The skill is classified as suspicious due to a path traversal vulnerability in `scripts/source.js`. The script uses the `--out` argument directly in `fs.writeFileSync(args.out, ...)`, which could allow an attacker or a prompt-injected agent to write to arbitrary file paths (e.g., `../../etc/passwd`) instead of the intended local output file. While the overall intent of the skill (CJ Dropshipping API interaction) appears benign, this vulnerability presents a significant risk of unauthorized file modification.
能力评估
Purpose & Capability
The name/description match the code: both token.js and source.js call CJ API endpoints and produce normalized output for catalog building. However the skill metadata declares no required binaries or credentials while the runtime expects a local config file (./cj-api.json) containing an apiKey and accessToken. That mismatch (no declared runtime requirements but Node scripts that need Node and axios and a local API key) is a documentation/packaging inconsistency.
Instruction Scope
SKILL.md instructs running token.js and source.js and references ./cj-api.json only. The scripts only read/write that config and make requests to CJ's API, which is in-scope. However both scripts accept CJ_API_PATH via environment to override the config file location, which allows reading/writing an arbitrary filesystem path if an attacker or misconfiguration sets that variable. The instructions don't warn about this or restrict the path.
Install Mechanism
There is no install spec; the skill is instruction-only but includes Node scripts that require a Node runtime and the axios package. The registry metadata lists no required binaries/dependencies. Users must ensure Node and the axios dependency are present; without a package.json or install instructions this is a packaging omission that can lead to surprises or mismatched environments.
Credentials
The skill does not request unrelated credentials. It expects an apiKey in a local JSON file and will store accessToken/tokenExpiry back to that file — which is proportionate for a CJ API integration. The only environment variable the code looks at is CJ_API_PATH (to override config path), which is not declared in the metadata; this should be documented and treated cautiously because it can redirect the skill to arbitrary files.
Persistence & Privilege
The skill persists credentials (accessToken and tokenExpiry) to cj-api.json and will overwrite whatever path CJ_API_PATH points to. While writing its own config is expected, the ability to write an arbitrary file path (via CJ_API_PATH) increases risk of accidental or malicious overwriting of sensitive files. The skill does not request 'always' or elevated platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-dropshipping-sourcing - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-dropshipping-sourcing触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- No changes detected in this version.
- Documentation and functionality remain the same as the previous release.
v1.0.1
- Updated file paths for configuration and scripts to be relative to the current directory.
- Script usage now references `./cj-api.json` and simplified `scripts/` paths.
- Documentation in SKILL.md is clearer and matches updated usage conventions.
v1.0.0
- Initial release of the skill for sourcing CJ Dropshipping product data via API v2.0.
- Supports keyword-based product search, pulling product details (SPU/SKU, images, categories, variants/colors).
- Provides CLI tools for refreshing access tokens and fetching product lists with normalized JSON output.
- Aims to streamline dropshipping catalog automation with reliable, up-to-date CJ product info.
元数据
常见问题
Skill Dropshipping Sourcing 是什么?
Query CJ Dropshipping API v2.0 to source products and fetch details for catalog building. Use for CJ keyword search, pulling product records (SPU/SKU, images... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 493 次。
如何安装 Skill Dropshipping Sourcing?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-dropshipping-sourcing」即可一键安装,无需额外配置。
Skill Dropshipping Sourcing 是免费的吗?
是的,Skill Dropshipping Sourcing 完全免费(开源免费),可自由下载、安装和使用。
Skill Dropshipping Sourcing 支持哪些平台?
Skill Dropshipping Sourcing 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Dropshipping Sourcing?
由 Zero2Ai(@zero2ai-hub)开发并维护,当前版本 v1.0.2。
推荐 Skills