ClawHub

PipiAds Dropshipping Product Research

v1.0.6

Research dropshipping products and stores using TikTok and Facebook ad signals, product detail, and store intelligence from PipiAds.

0· 65·0 current·0 all-time
by@fanyanggod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/description (PipiAds dropshipping research) matches the declared primary credential (PIPIADS_API_KEY) and the described tools (search_ads, get_product_detail, store research). Requiring an npm binary is coherent because the SKILL.md specifies installing a pipiads-mcp-server npm package to proxy API calls.
Instruction Scope
SKILL.md stays within the integration's scope: it tells the agent to use the PipiAds API, to set PIPIADS_API_KEY, and to run an MCP server that uses that key. It does not instruct reading unrelated files, other environment variables, or sending data to unexpected endpoints. It does direct the user to pipispy.com to obtain the API key/billing info (documented).
Install Mechanism
The skill's metadata includes an npm global install of pipiads-mcp-server@1.0.3 and an mcpServers entry to run pipiads-mcp-server. Installing an npm package is a reasonable, common mechanism for this purpose, but it is a code download that will run locally—so the package should be reviewed. Also note a minor inconsistency: the registry summary said 'No install spec — instruction-only', yet the SKILL.md contains an install command; this mismatch should be clarified.
Credentials
Only one required environment variable (PIPIADS_API_KEY) is declared and used; that matches the service being integrated and is proportionate. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It runs a local MCP server process when installed/run but does not request system-wide configuration changes or other skills' credentials.
Assessment
This skill appears to do what it says: it needs your PipiAds API key and will install/run a small npm-based MCP server to proxy API calls. Before installing, verify the pipiads-mcp-server package on the npm registry (check the publisher, version, and source repo), confirm the package's code or maintainers if possible, and obtain your API key only from the official site. Treat the API key like a secret: limit its permissions and monitor account usage. Also clarify the minor metadata mismatch (registry reported no install spec while SKILL.md includes an npm install) with the publisher before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770bv9t4tsa0g8see7aphfgx8424nb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binsnpm
EnvPIPIADS_API_KEY
Primary envPIPIADS_API_KEY

Comments