Woocommerce Commerce
PassAudited by ClawScan on May 13, 2026.
Overview
This WooCommerce development skill is coherent and instruction-focused, with no evidence of hidden data theft, destructive behavior, or unsafe automatic actions.
This appears safe to install as a WooCommerce/PHP development guidance skill. Expect it to look up current official documentation and, if its helper scripts are enabled by the host, warn about hardcoded secrets or block destructive WP-CLI commands. Avoid including production credentials in generated code or web-search queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make network requests to WooCommerce, WordPress, PHP, or related documentation sites while helping with development.
The skill directs the agent to use web-search/web-fetch tools before implementation. This is disclosed and aligned with keeping WooCommerce API usage current, but it means the agent may access external documentation sites during use.
Before writing any WooCommerce implementation code, you MUST web-search and/or web-fetch the relevant official documentation.
Use this skill when external documentation lookup is acceptable; avoid asking it to include private project details in web searches.
If this hook is enabled by the host, some destructive WP-CLI commands may be blocked or warned about before execution.
The package includes a local guard script that can inspect Bash commands and block dangerous WP-CLI patterns such as database resets or WooCommerce deletion. This modifies tool execution behavior, but it is protective and purpose-aligned.
"PreToolUse hook: block potentially destructive WordPress/WooCommerce CLI commands."
Treat this as a safety feature, but review blocked-command messages and confirm any high-impact maintenance action manually.
If enabled, generated code containing apparent secrets may be inspected locally and surfaced as a warning.
The script locally scans newly written or edited content for patterns resembling database passwords, WordPress salts, payment secrets, or WooCommerce API keys. It does not show storage or transmission, but it may process sensitive strings if they are present in generated code.
"PostToolUse hook: detect hardcoded WordPress/WooCommerce secrets in written code."
Do not place real production secrets in generated files; use environment variables or a secrets manager as the skill itself recommends.