fecify-site-manager-v1
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Fecify store-management purpose, but it deserves Review because a saved store token enables broad and bulk store changes through a generic API proxy.
Install only if you trust this skill with a Fecify site token. Use a limited-scope token if possible, review every mutating API call, test CSV imports with dry-run/small batches first, and rotate or remove the token when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After a site token is configured, an agent could create, update, or delete store data through undocumented or unintended API paths if prompted or mistaken.
The proxy accepts caller-supplied methods and paths and supports mutating and delete operations using the saved Fecify token, without an endpoint allowlist or approval check in the proxy.
node scripts/proxy/api-call.js <METHOD> <PATH> [BODY_JSON] ... case 'POST' ... case 'PUT' ... case 'DELETE'
Use a least-privilege token, require explicit user confirmation before every POST/PUT/DELETE or bulk operation, and consider limiting the proxy to documented safe endpoints.
Anyone or any process with access to those local files may be able to reuse the token to operate on the Fecify site.
The skill persistently writes the site URL and AccessToken into local configuration files under its shared sessions data directory.
JSON.stringify({ url, token, updatedAt: new Date().toISOString() }, null, 2)Provide only scoped tokens, rotate them if the machine is shared or compromised, and remove the stored config when the skill is no longer needed.
A bad CSV or wrong import option could make many incorrect product changes at once.
Bulk CSV import can create many products and images; the skill does require detection and user confirmation, which makes this purpose-aligned but still high-impact.
用户上传 CSV → 先检测再导入,不可跳过检测 ... 展示选项等用户确认 ... import-shopify-csv.js <CSV> [--max=N] ... [--dry-run] ... [--import-concurrency=N]
Run detection first, use --dry-run and small --max batches on production sites, and verify the preview before importing.
An untrusted CSV could cause the agent environment to fetch unexpected URLs and upload the result as an image.
The importer downloads image URLs from the CSV and uploads the downloaded bytes to Fecify; this is expected for product import, but the visible code does not show host or content-type restrictions.
const buf = await downloadImage(img.src); ... api.post('/api/skill/base-image/upload', { image_base64encode: buf.toString('base64'), image_name: ... })Import only trusted CSVs, confirm image URLs are public product images, and prefer adding URL/content validation before large imports.