ClawHub

Magento 2 Skill

v1.3.1

Manage a Magento 2 / Adobe Commerce store via REST API. Use for orders, catalog, customers, inventory, promotions, and sales reporting. It can also discover...

1· 116·0 current·0 all-time
byCaravan Of Glory@caravanglory
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and env vars: the skill implements a full Magento 2 REST client and command-line scripts for orders, catalog, customers, inventory, promotions, and reporting. The required env vars are Magento OAuth credentials and base URL, which are appropriate for this purpose.
Instruction Scope
Runtime instructions and scripts only call the Magento REST API and reference expected Magento config/env vars. However, many scripts perform state-changing actions (delete product, update prices, cancel/ship/invoice orders, clear caches, create/disable promotions). The SKILL.md warns credentials come from env vars; the code enforces that. Also a minor mismatch: scripts use OPENCLAW_DELAY_MS though it is not documented in the SKILL.md optional env list.
Install Mechanism
Install spec uses 'uv' to install Python packages (requests, requests-oauthlib, pandas, tabulate). That aligns with requirements in code. requirements.txt additionally lists 'ruff' (a linter) which is unnecessary for runtime — a small inconsistency. 'uv' as an install kind is uncommon (but not inherently malicious); confirm your platform's 'uv' implementation before installing.
Credentials
All required environment variables are Magento-specific (base URL and OAuth keys/tokens), which is proportionate. No unrelated credentials are requested. Note: multiple per-site env conventions are supported; the skill will read any MAGENTO_BASE_URL_<SITE> keys present. Also uses optional MAGENTO_TIMEOUT, MAGENTO_DEBUG and OPENCLAW_DELAY_MS (the latter is used but not documented as optional).
Persistence & Privilege
always is false and the skill does not request permanent system-wide privileges. It does modify Magento store state through the API (intended behavior) but does not attempt to change agent/system config.
Assessment
This skill appears to do what it says: it needs full Magento API credentials and will be able to read and change store data (prices, products, orders, promotions, caches). Before installing: 1) only provide credentials that have the minimum permissions needed (consider a read-only token for reporting/inspection tasks and a separate write-scoped token for change operations); 2) test in a staging store first; 3) confirm what your platform's 'uv' installer does and review the install step, since requirements.txt includes a linter (ruff) not needed at runtime; 4) be aware scripts include a generic custom_api endpoint that can call arbitrary REST paths on your store — treat credentials as sensitive and rotate them if exposed. If you want extra assurance, review the omitted/large files (diagnose.py, reports, etc.) or run the skill in an isolated environment before granting production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bb2qg26wx0rkqwfa7sj5yz183zjkq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛒 Clawdis
Binspython3
EnvMAGENTO_BASE_URL, MAGENTO_CONSUMER_KEY, MAGENTO_CONSUMER_SECRET, MAGENTO_ACCESS_TOKEN, MAGENTO_ACCESS_TOKEN_SECRET
Primary envMAGENTO_BASE_URL

Install

Install Python dependencies (uv)

Comments