ClawHub

WordPress/WooCommerce Connector Lite

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WooCommerce connector that uses a store secret to fetch order and product data from the user-configured store, with no evidence of hidden exfiltration or destructive behavior.

Install only for agents and operators authorized to view WooCommerce order and customer data. Configure OPENCLAW_STORE_URL with an HTTPS WordPress site you control, protect and rotate OPENCLAW_STORE_SECRET like an API key, and avoid exposing order lookups in shared or untrusted conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises access to order status, customer information, and line items, but provides no warning about handling personal or transactional data, least-privilege use, retention, or privacy obligations. In a skill that connects an AI agent directly to a WooCommerce store, this omission increases the risk of unsafe deployment, overcollection, and inappropriate disclosure of customer data by downstream users or agents.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The check_order tool retrieves and displays customer/order details, and those details are sent to a remote store endpoint derived from OPENCLAW_STORE_URL with no enforcement that the URL uses HTTPS. If the store URL is configured as plain HTTP, order identifiers and returned billing data could be exposed to interception or modification in transit, which is especially sensitive given this skill’s purpose is accessing WooCommerce order data.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The find_product tool sends user-provided search terms to a remote endpoint without explicit disclosure, which is expected for a connector skill but still creates a privacy/data-handling concern. If OPENCLAW_STORE_URL is misconfigured to HTTP, queries could also be observed in transit; however, the data is generally less sensitive than order/customer details, so the impact is lower.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal