WPClaw Lite (WordPress/WooCommerce connector)

Connects to a WooCommerce store via the WPClaw Connector plugin to fetch orders and products.

This skill's behavior is consistent with a WooCommerce connector, but the package metadata omitted the environment variables that the code actually requires. Before installing: (1) Confirm the publisher and that the WordPress plugin (WPClaw Connector) on your store is genuine and audited; (2) only provide the WPCLAW_STORE_SECRET to trusted code and consider using a least-privilege/test store or rotated key for evaluation; (3) verify transport is HTTPS for WPCLAW_STORE_URL and that the plugin expects HMAC signatures as implemented; (4) ask the publisher to correct the registry metadata so required credentials are declared; (5) review the WP plugin server-side code (or test in staging) to ensure no unexpected endpoints or behaviors; and (6) run npm install in an isolated environment and inspect node_modules if you plan to execute the skill locally. The current inconsistencies suggest a packaging error or sloppy release process rather than clear malicious intent, but treat the store secret as sensitive until you validate the whole stack.

Type: OpenClaw Skill Name: wpclaw-lite Version: 1.0.0 The skill is designed to connect to a WooCommerce store using provided environment variables (`WPCLAW_STORE_URL`, `WPCLAW_STORE_SECRET`). The `scripts/index.js` file uses `axios` to make authenticated HTTP requests to the specified store URL, employing HMAC-SHA256 signing with the secret key for security. There is no evidence of data exfiltration beyond the stated purpose, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` or `README.md`. All dependencies (`axios`) are legitimate, and the code's functionality aligns directly with its description.