ClawHub

Drop Pick

v1.0.2

Cross-platform product selection and sourcing analysis for distributors and dropshippers. Uses opencli plugins (aliexpress, alibaba-api buyer API, amazon) to...

2· 57·0 current·0 all-time
by@lcturing0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a distributor/dropship product-research helper and only requires opencli plus Alibaba API credentials (app key/secret/access token). Those credentials and the opencli plugin calls match the described functionality.
Instruction Scope
SKILL.md instructs the agent to run opencli commands against alibaba-api, aliexpress, and amazon plugins and to follow an OAuth flow for the Alibaba token. It does not instruct reading unrelated files, accessing other environment variables, or transmitting data to unexpected endpoints beyond the stated services.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by the skill itself. The only runtime requirement is that the user has opencli and the relevant plugins installed (which the SKILL.md checks).
Credentials
The three required env vars (ALI_APP_KEY, ALI_APP_SECRET, ALI_ACCESS_TOKEN) are directly relevant to using the Alibaba buyer API. No unrelated credentials or broad system secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request any system-wide configuration changes or access to other skills' credentials. It runs via opencli at invocation time.
Assessment
This skill appears internally consistent, but before installing or providing credentials: 1) Verify you trust the opencli binary and the specific plugins (alibaba-api, aliexpress, amazon) the skill expects — plugins may be installed dynamically and contain code that will call external services. 2) Use a dedicated Alibaba API account or scoped/short-lived tokens where possible and rotate them regularly. 3) Confirm the OAuth redirect (localhost) flow works in your environment and avoid pasting long-lived secrets into shared systems. 4) Because the skill is instruction-only, the static scanner had nothing to analyze — inspect the opencli plugins' source or install location if you need higher assurance. 5) If you plan to let an autonomous agent use this skill, be aware the agent will be able to call those APIs using the provided ALI_ACCESS_TOKEN; only grant tokens you are comfortable having the agent use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d4c6w5jkmgnr03x56fazcq584vx8f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsopencli
EnvALI_APP_KEY, ALI_APP_SECRET, ALI_ACCESS_TOKEN
Primary envALI_ACCESS_TOKEN

Comments