ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Dropshipping Sourcing

Query CJ Dropshipping API v2.0 to source products and fetch details for catalog building. Use for CJ keyword search, pulling product records (SPU/SKU, images...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 251 · 1 current installs · 1 all-time installs
byZero2Ai@Zero2Ai-hub
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: both token.js and source.js call CJ API endpoints and produce normalized output for catalog building. However the skill metadata declares no required binaries or credentials while the runtime expects a local config file (./cj-api.json) containing an apiKey and accessToken. That mismatch (no declared runtime requirements but Node scripts that need Node and axios and a local API key) is a documentation/packaging inconsistency.
!
Instruction Scope
SKILL.md instructs running token.js and source.js and references ./cj-api.json only. The scripts only read/write that config and make requests to CJ's API, which is in-scope. However both scripts accept CJ_API_PATH via environment to override the config file location, which allows reading/writing an arbitrary filesystem path if an attacker or misconfiguration sets that variable. The instructions don't warn about this or restrict the path.
!
Install Mechanism
There is no install spec; the skill is instruction-only but includes Node scripts that require a Node runtime and the axios package. The registry metadata lists no required binaries/dependencies. Users must ensure Node and the axios dependency are present; without a package.json or install instructions this is a packaging omission that can lead to surprises or mismatched environments.
Credentials
The skill does not request unrelated credentials. It expects an apiKey in a local JSON file and will store accessToken/tokenExpiry back to that file — which is proportionate for a CJ API integration. The only environment variable the code looks at is CJ_API_PATH (to override config path), which is not declared in the metadata; this should be documented and treated cautiously because it can redirect the skill to arbitrary files.
!
Persistence & Privilege
The skill persists credentials (accessToken and tokenExpiry) to cj-api.json and will overwrite whatever path CJ_API_PATH points to. While writing its own config is expected, the ability to write an arbitrary file path (via CJ_API_PATH) increases risk of accidental or malicious overwriting of sensitive files. The skill does not request 'always' or elevated platform privileges.
What to consider before installing
This skill appears to do what it claims (query CJ Dropshipping), but before installing or running it: (1) Ensure you have Node and the axios package installed — the skill doesn't install dependencies itself. (2) Create a dedicated cj-api.json in a safe, isolated directory containing your CJ apiKey (and optionally accessToken/tokenExpiry); keep that file private. (3) Do not set CJ_API_PATH to sensitive system files — the scripts will read and overwrite whatever path that variable points to. (4) Run the token refresh and search commands in a non-privileged account/folder to avoid accidental file overwrites. (5) If you want to be stricter, add a minimal package.json and explicit install steps (npm install axios) or sandbox execution. If you need greater assurance, ask the publisher for a package.json and an explicit list of runtime requirements, or review the code locally before running.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97eeef4n2jv0wkn3736m5et1s8211gf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

CJ Sourcing

Use this skill to reliably pull CJ product data (instead of manual browsing).

Files / creds (local convention)

  • Config: ./cj-api.json
    • apiKey, baseUrl, accessToken, tokenExpiry

1) Refresh access token

node scripts/token.js

2) Search products by keyword (listV2)

node scripts/source.js --keyword "sunset lamp" --size 20 --out cj-results.json

Output: cj-results.json with normalized fields.

Notes

  • Token refresh is conservative (refreshes ~10 minutes before expiry).
  • source.js uses GET /product/listV2 and requests enable_description + category fields.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…