Medusa Commerce
v1.0.0Medusa Commerce integration. Manage data, records, and automate workflows. Use when the user wants to interact with Medusa Commerce data.
⭐ 0· 29·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the instructions: the skill is explicitly a Medusa Commerce integration that uses the Membrane CLI as a proxy/connector. All required functionality (discovering actions, running actions, proxying requests) is accomplished via the Membrane CLI, which is a reasonable dependency for this purpose.
Instruction Scope
SKILL.md only instructs using the Membrane CLI (login, connect, action list/run, request proxy). It does not instruct reading unrelated files, scraping environment variables, or exfiltrating data outside the expected Membrane<->Medusa flow. Note: proxying requests via Membrane will send Medusa data to Membrane's servers as intended by the skill.
Install Mechanism
This is an instruction-only skill with no install spec, but it recommends installing the @membranehq/cli globally via npm (or using npx in examples). Installing an npm package is a moderate-risk action in general — the skill itself does not bundle code, but following its instructions requires running third-party code from the npm registry. Verify the package and maintainers before installing; using npx or an isolated environment reduces risk.
Credentials
The skill declares no required environment variables or credentials and explicitly advises not to ask users for API keys, instead relying on Membrane-managed connections. This is proportional. One minor note: the Membrane CLI may cache session tokens or connection metadata locally—review the CLI's storage behavior if local token persistence is a concern.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The default that the agent can invoke the skill autonomously is unchanged and expected; be aware that if invoked the skill will perform network operations and use the configured Membrane connection to act on behalf of the user. That network ability is consistent with the skill's purpose but increases operational blast radius if misused.
Assessment
This skill appears to do what it says: it uses Membrane as a proxy to interact with Medusa Commerce. Before installing or running commands: 1) Verify the @membranehq/cli package and its GitHub repo (maintainers, recent commits, npm download stats) to ensure you trust the CLI you will install. 2) Prefer running via npx or in an isolated environment (container/VM) instead of a global npm install if you have doubts. 3) Understand that using the skill will send Medusa data through Membrane's servers—review Membrane's privacy/security documentation and grant the connector only the minimum Medusa permissions needed. 4) Check how the CLI stores session tokens locally (e.g., in home config directories) and clear them if needed. 5) If you require higher assurance, test with a non-production Medusa account first.Like a lobster shell, security has layers — review code before you run it.
latestvk972y5azjbzx4yt0rqz3c8trdd8466v2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.