ClawHub

WordPress/WooCommerce Connector Lite

v1.0.1

Connects to a WooCommerce store via the OpenClaw Connector Lite plugin to fetch orders and products.

1· 2.2k·3 current·3 all-time
by@magnum-opus-v1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md clearly implement a WooCommerce/OpenClaw connector and legitimately require the store URL and a store secret. However, the registry metadata claims no required environment variables or primary credential while SKILL.md and scripts/index.js require OPENCLAW_STORE_URL and OPENCLAW_STORE_SECRET. This metadata mismatch is an incoherence that should be fixed or explained.
Instruction Scope
The SKILL.md and exported tools limit behavior to fetching orders/products and checking store status. Instructions and code do not attempt to read local files or unrelated environment variables; network calls are targeted at the store's wp-json/openclaw endpoints and requests are HMAC-signed with the provided secret.
Install Mechanism
There is no explicit install spec in the registry (instruction-only), but package.json and README instruct running npm install to fetch axios. This is a normal npm dependency (axios) and there are no downloads from arbitrary URLs or extract steps. The lack of an install spec in the registry is an operational inconsistency to be aware of.
!
Credentials
The environment access the code actually needs (OPENCLAW_STORE_URL and OPENCLAW_STORE_SECRET) is proportionate to the stated purpose. However, the registry metadata omits these required env vars entirely — a mismatch that could mislead users into installing without providing needed secrets or understanding what will be accessed.
Persistence & Privilege
The skill is user-invocable, not marked always:true, and does not modify other skills or system-wide settings. It does not request elevated persistence or cross-skill configuration changes.
What to consider before installing
Before installing: 1) Resolve the metadata mismatch — confirm with the publisher why the registry lists no required env vars while SKILL.md and the code require OPENCLAW_STORE_URL and OPENCLAW_STORE_SECRET. 2) Only provide your Store Secret to this skill if you trust the OpenClaw Connector Lite plugin installed on your WordPress site — that secret grants API access to your store endpoints. 3) Review the WordPress plugin code and the plugin's endpoint (/wp-json/openclaw/v1/*) on your site to ensure they behave as expected; if the plugin is from an unknown source, do not share secrets. 4) Expect to run npm install (axios dependency) in the skill directory; run this in an isolated environment if you have concerns. 5) If possible, create a scoped or read-only secret for agent access, and monitor store logs for unexpected requests. If you cannot verify the plugin and the source, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h6s1pxk3mp6mtm1evx3mkh80b71b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments