Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cj Dropshipping Api
v1.0.0Use when user wants to integrate CJ Dropshipping, search products, create orders, track shipments, manage Shopify listings via CJ, or automate CJ logistics a...
⭐ 0· 36·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the SKILL.md both describe CJ Dropshipping API operations (product search, orders, webhooks, Shopify listing). That purpose is coherent with the included API reference and example calls.
Instruction Scope
The runtime instructions rely on running accio-mcp-cli to obtain CJ-Access-Token, and show using curl/jq and exporting CJ_TOKEN. The skill metadata declares no required binaries or env vars, yet the instructions assume the agent (or user) can run accio-mcp-cli, curl, and jq and will handle an OAuth browser flow. This mismatch could cause unexpected behavior if the agent tries to execute missing/untrusted tools.
Install Mechanism
No install spec and no code files — instruction-only. Low disk/write risk. However, because the skill delegates auth to an external CLI (accio-mcp-cli), installing/using that CLI is an operational dependency the registry metadata does not document.
Credentials
The skill requires a CJ access token (CJ-Access-Token) for all API calls and suggests exporting CJ_TOKEN, but the registry lists no required environment variables or primary credential. Requesting a token for CJ is proportional to the task, but the omission of this expected requirement in metadata is a coherence issue and makes it unclear how the agent should obtain/store credentials safely.
Persistence & Privilege
always is false and there are no config paths or claims to modify other skills or system settings. The skill does instruct storing webhook URLs and tokens but does not demand persistent system privileges.
What to consider before installing
This skill appears to be a straightforward CJ Dropshipping API cookbook, but it references external tools and an OAuth flow that are not declared in the skill metadata. Before installing or enabling it: 1) Verify what 'accio-mcp-cli' is, where it comes from, and that you trust its source — the skill assumes that CLI will open a browser and print access tokens. 2) Confirm your environment has (or will install) curl and jq if you expect the agent to run the example commands. 3) Treat the CJ access token (CJ-Access-Token / CJ_TOKEN) like a secret: only store it in trusted secret storage, and don't paste it into untrusted consoles or share it. 4) If you plan to accept webhooks, host callback endpoints securely and validate incoming requests. 5) Because the skill metadata omits these operational requirements and the source is 'unknown' in the registry, proceed cautiously — ask the skill author for a clear list of required binaries and exact guidance for obtaining accio-mcp-cli (or be prepared to perform the OAuth step yourself).Like a lobster shell, security has layers — review code before you run it.
latestvk97bcsq8q0q3k83eyt1aeprsnd84swtx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.