Spree Commerce
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a Spree Commerce guidance skill with purpose-aligned documentation, credential-handling examples, and protective command/secret-check scripts.
This skill appears safe to install as a Spree Commerce documentation and development assistant. Expect it to consult live Spree docs and help with commands, APIs, and credentials for your own application; review any database, deployment, payment, or admin API actions before allowing them to run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may browse Spree documentation and release notes before giving implementation advice.
The skill instructs the agent to use web search and fetch official documentation before coding. This is aligned with the stated goal of tracking Spree's evolving APIs, but users should be aware of the network activity.
Before writing any implementation code: 1. **Always web-search** ... 2. **Always fetch live docs**
Allow web access only when appropriate, and prefer the official Spree sources listed by the skill.
If this hook is active, some high-risk commands may be blocked or warned about before running.
The script is designed to inspect Bash commands and block destructive Rails, database, Docker, and Spree operations such as db:drop or docker compose down -v. This is protective and purpose-aligned, but it can affect tool execution if enabled.
"""PreToolUse hook: block potentially destructive Rails / Spree / database commands."""
Review any blocked command manually and confirm destructive database or deployment actions with the user before proceeding.
Using the skill may involve handling credentials that can access or modify a Spree store if misused.
The skill provides expected guidance for Spree API authentication, including publishable keys, admin API keys, OAuth client secrets, JWTs, and order tokens. These are central to the stated API-development purpose and the artifact also advises safer handling such as httpOnly cookies.
Admin API at `/api/v3/admin/*` (per-user API keys + OAuth2 Doorkeeper, admin/operations)
Use least-privilege API keys, keep secrets server-side or in environment/credential stores, and avoid pasting live admin credentials into prompts unless necessary.