ClawHub

Cj Dropshipping Api

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate CJ Dropshipping API guide, but it includes runnable commands that can create orders, change Shopify/CJ account state, and set webhooks without clear safety gates.

Install only if you intend to let an agent help operate a CJ/Shopify dropshipping workflow. Before running any POST, listing, order, payment, delivery-profile, or webhook command, confirm the exact CJ account, shop, product IDs, customer data, costs, and callback URL; prefer test accounts and protect the CJ access token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes copy-pastable examples for creating real orders and configuring webhooks, but it does not warn that these actions have external side effects, may incur charges, or may alter production integrations. In an agent setting, this omission materially increases the risk of unintended transactions, shipment actions, or callback changes being executed with live credentials.

External Transmission

Medium
Category
Data Exfiltration
Content
}' | jq .

# 7️⃣ Create an order (V2)
curl -X POST "https://developers.cjdropshipping.com/api2.0/v1/shopping/order/createOrderV2" \
  -H "Content-Type: application/json" \
  -H "CJ-Access-Token: $CJ_TOKEN" \
  -d '{
Confidence
78% confidence
Finding
curl -X POST "https://developers.cjdropshipping.com/api2.0/v1/shopping/order/createOrderV2" \ -H "Content-Type: application/json" \ -H "CJ-Access-Token: $CJ_TOKEN" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
-H "CJ-Access-Token: $CJ_TOKEN" | jq .

# 9️⃣ Set up a webhook for order updates
curl -X POST "https://developers.cjdropshipping.com/api2.0/v1/webhook/set" \
  -H "Content-Type: application/json" \
  -H "CJ-Access-Token: $CJ_TOKEN" \
  -d '{
Confidence
83% confidence
Finding
curl -X POST "https://developers.cjdropshipping.com/api2.0/v1/webhook/set" \ -H "Content-Type: application/json" \ -H "CJ-Access-Token: $CJ_TOKEN" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal