PrestaShop Bridge V1
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly a coherent PrestaShop bridge contract, but review is warranted because it enables business-changing store operations with sensitive bridge credentials while some claimed security verification/setup files are missing.
Before installing, ask for the complete package including `.env.bridge.example` and `examples.http`, verify the HMAC examples yourself, and only use least-privilege credentials. Treat all write actions as production-impacting store changes and require explicit approval before product imports, product updates, or order-status changes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users cannot reproduce the package’s claimed environment and HMAC validation from the provided artifacts, which weakens confidence in the signed-API security posture.
The included validator requires `.env.bridge.example` and `examples.http`, and other docs claim these files contain the environment contract and exact HMAC examples, but the supplied file manifest does not include them.
REQUIRED_FILES = [... ROOT / ".env.bridge.example", ROOT / "examples.http", ...]
Do not rely on the pack for production until the missing files are supplied or the validator/docs are corrected; verify HMAC examples and environment handling independently.
If used incorrectly, the agent could change prices, stock, SEO content, product catalog entries, or customer-facing order status.
The skill intentionally exposes write operations that can change product data, import catalog items, and update order status with optional customer notification.
update_product ... scope: `bridge:write`; import_products ... maximum `50` items; update_order_status ... `notify_customer`
Use least-privilege write credentials, require explicit human confirmation for write jobs, test in staging, and always poll job status before treating a change as complete.
Exposing these values too broadly could give an agent or operator more access than needed, including the ability to sign bridge requests or reach backend services.
The package declares sensitive bridge deployment credentials and backend connection settings, even though the registry-level requirements list no primary credential or required environment variables.
"OAUTH_CLIENT_SECRET", "JWT_PRIVATE_KEY_PATH", "HMAC_SECRET_CURRENT", "REDIS_DSN", "DATABASE_URL"
Provide only the credentials needed for the specific client workflow, keep backend database/JWT private-key material out of agent runtime where possible, and rotate secrets if exposed.