ClawHub

Skills

v1.0.0

Import products from Shopify, Wix, WordPress, and Amazon directly into WooCommerce via natural language.

0· 99·0 current·0 all-time
by@colaliang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to import products into WooCommerce and implements an MCP server that POSTs import requests to an external Yundian+ API using a single API key. Required binaries (node, npm, npx) and the @modelcontextprotocol dependency are appropriate for running the provided TypeScript MCP server.
Instruction Scope
SKILL.md correctly instructs adding an MCP server entry that runs mcp-server.ts and maps the API key. However the example also sets YUNDIAN_WOO_IMPORTER_API_URL in the MCP config (https://ydplus.net) even though YUNDIAN_WOO_IMPORTER_API_URL is not declared in requires.env. The MCP server will forward whatever import arguments (platform, product links, etc.) to the external API_URL, so product data and any arguments passed to the tool are sent to that external endpoint — this is expected but you should confirm you trust that remote service and understand what data is transmitted.
Install Mechanism
There is no high-risk installer: the skill is instruction-only with a small package.json referencing @modelcontextprotocol/sdk and metadata suggesting 'npm install'. No downloads from obscure URLs or archive extraction are present.
Credentials
The sole declared required secret is YUNDIAN_WOO_IMPORTER_API_KEY, which is proportionate for an API-backed importer. Two points to note: (1) SKILL.md and the example MCP config expect YUNDIAN_WOO_IMPORTER_API_URL but it is not listed in requires.env; (2) whatever API_URL you configure will receive import payloads (including product links and platform identifiers). Only provide your API key to services you trust and verify the API_URL is the intended endpoint.
Persistence & Privilege
always is false and the skill does not request elevated privileges or modify other skills. It does instruct the user to add an MCP server entry to their local OpenClaw config — that is normal for MCP-based skills.
Assessment
This skill forwards import requests to an external Yundian+ API and requires you to provide an API key. Before installing: (1) Confirm the API_URL (https://ydplus.net) is correct and trusted — the skill will send product URLs and import parameters there. (2) Be aware the SKILL.md expects YUNDIAN_WOO_IMPORTER_API_URL but the skill only declares the API key as required; explicitly set the API_URL in your MCP config. (3) Review the provider's privacy/security policy to understand what data they store or access. (4) If you prefer not to expose product or store data to a third party, do not install or provide the API key. If you want higher assurance, ask the publisher for provenance (source repository, signed releases) and confirm the npm dependency versions.
mcp-server.ts:17
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk970yez8vm13n4550g893m88zn83at2a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛍️ Clawdis
Binsnode, npm, npx
EnvYUNDIAN_WOO_IMPORTER_API_KEY
Primary envYUNDIAN_WOO_IMPORTER_API_KEY

Comments