fecify-site-manager-v1
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: fecify-site-manager-v1 Version: 1.0.0 The skill bundle is a legitimate management tool for Fecify e-commerce sites, providing functionality for API interaction and Shopify CSV product imports. It implements a session-based configuration system that stores site URLs and access tokens locally in a shared data directory to ensure persistence across updates. The code demonstrates good practices, such as input validation in `api-client.js`, a two-step verification process for CSV imports in `detect-shopify-csv.js`, and automatic cleanup of temporary files. There are no signs of data exfiltration, malicious execution, or harmful prompt injection instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After a site token is configured, an agent could create, update, or delete store data through undocumented or unintended API paths if prompted or mistaken.
The proxy accepts caller-supplied methods and paths and supports mutating and delete operations using the saved Fecify token, without an endpoint allowlist or approval check in the proxy.
node scripts/proxy/api-call.js <METHOD> <PATH> [BODY_JSON] ... case 'POST' ... case 'PUT' ... case 'DELETE'
Use a least-privilege token, require explicit user confirmation before every POST/PUT/DELETE or bulk operation, and consider limiting the proxy to documented safe endpoints.
Anyone or any process with access to those local files may be able to reuse the token to operate on the Fecify site.
The skill persistently writes the site URL and AccessToken into local configuration files under its shared sessions data directory.
JSON.stringify({ url, token, updatedAt: new Date().toISOString() }, null, 2)Provide only scoped tokens, rotate them if the machine is shared or compromised, and remove the stored config when the skill is no longer needed.
A bad CSV or wrong import option could make many incorrect product changes at once.
Bulk CSV import can create many products and images; the skill does require detection and user confirmation, which makes this purpose-aligned but still high-impact.
用户上传 CSV → 先检测再导入,不可跳过检测 ... 展示选项等用户确认 ... import-shopify-csv.js <CSV> [--max=N] ... [--dry-run] ... [--import-concurrency=N]
Run detection first, use --dry-run and small --max batches on production sites, and verify the preview before importing.
An untrusted CSV could cause the agent environment to fetch unexpected URLs and upload the result as an image.
The importer downloads image URLs from the CSV and uploads the downloaded bytes to Fecify; this is expected for product import, but the visible code does not show host or content-type restrictions.
const buf = await downloadImage(img.src); ... api.post('/api/skill/base-image/upload', { image_base64encode: buf.toString('base64'), image_name: ... })Import only trusted CSVs, confirm image URLs are public product images, and prefer adding URL/content validation before large imports.