ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PrestaShop Bridge V1

v1.0.3

Secure skill pack for operating a PrestaShop 9 Bridge through a stable, signed, asynchronous API contract.

0· 77·0 current·0 all-time
by@ansz089
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md, README, openapi.yaml, and schemas consistently describe a PrestaShop Bridge that legitimately requires secrets (OAuth client credentials, JWT keys, HMAC secret), Redis and MySQL access. However the registry-level 'Requirements' summary (top of the provided metadata) lists no required environment variables or config paths, which is inconsistent with _meta.json, docs, and the validator that all declare many required runtime variables. This mismatch between published metadata and the package contents is a red flag (either metadata was omitted or the package may be incomplete).
Instruction Scope
The SKILL.md instructions themselves are narrowly scoped to API usage, signing, and polling and explicitly forbid direct DB/filesystem access. That is coherent for a bridge contract. However the included validator script reads local files and expects a .env file and examples.http; the SKILL.md and docs instruct maintainers to run the validator and to verify exact HMAC examples. The validator also embeds a fixed SECRET used to compute example HMACs, which leaks an example signing secret inside the package and increases the chance someone will accidentally reuse it.
Install Mechanism
This is an instruction-only pack with no install spec and no external downloads — low installation risk. The only code files are small validators/eval scripts included for local verification.
!
Credentials
The package (in _meta.json and docs) declares many sensitive environment variables (OAUTH_CLIENT_SECRET, JWT_PRIVATE_KEY_PATH, HMAC_SECRET_CURRENT/PREVIOUS, DATABASE_URL, REDIS_DSN, etc.), which are proportionate to the stated bridge purpose. The problem is the registry-level requirements shown to the platform were empty; that inconsistency could cause a user to install without providing required secrets. Additionally, validators/validate_examples.py embeds a long hex SECRET constant — this is a hard-coded secret inside the repo (not a platform requirement) and could be mistaken for a runtime secret or misused; it's poor hygiene and may aid attackers if reused.
Persistence & Privilege
The skill does not request permanent platform presence (always:false) and does not request elevated platform privileges. It does not modify other skills. Autonomous invocation remains enabled (normal), but there is no combination of 'always' plus broad credentials here.
What to consider before installing
Do not install or use this pack until you confirm a few things: 1) The registry/manifest shown to the platform should list the same required environment variables declared inside _meta.json and docs—if the platform shows none, ask the publisher why. 2) Verify the package actually includes .env.bridge.example and examples.http referenced by the validator; those files appear to be missing from the provided manifest. 3) Inspect validators/validate_examples.py: it contains a hard-coded SECRET used to compute example HMACs — treat this as an example secret only and ensure you never deploy or reuse it in production. 4) Confirm the package origin and homepage/source (source is unknown here); prefer packages with a verifiable upstream repo or publisher. 5) If you plan to deploy, ensure secrets (oauth client secret, HMAC secrets, JWT private key, DATABASE_URL, REDIS_DSN) are provided through secure secret storage and not committed. 6) Ask the publisher to fix metadata inconsistencies (registry requirements, included example files) and to remove or clearly label any embedded test secrets before trusting automated agents with these credentials.

Like a lobster shell, security has layers — review code before you run it.

apivk977653jzzhy9sx3mgnbvh0pwh83bzrzbridgevk977653jzzhy9sx3mgnbvh0pwh83bzrzhmacvk977653jzzhy9sx3mgnbvh0pwh83bzrzlatestvk977653jzzhy9sx3mgnbvh0pwh83bzrzoauth2vk977653jzzhy9sx3mgnbvh0pwh83bzrzopenclawvk977653jzzhy9sx3mgnbvh0pwh83bzrzprestashopvk977653jzzhy9sx3mgnbvh0pwh83bzrzsymfonyvk977653jzzhy9sx3mgnbvh0pwh83bzrz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments