ClawHub

Build Amazon Affiliate Plugin

v1.0.0

Create a WordPress plugin that detects Amazon affiliate links, extracts ASINs, displays product ads with caching, admin settings, and Gutenberg block support.

0· 304·1 current·1 all-time
byimjohnathan@imjohnathanblog-spec
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to produce a complete WordPress plugin (including backend behavior: link detection, PA-API signing, transients, admin settings, AJAX handlers), and includes spec docs, block JS, CSS, and admin JS — but the core PHP files and server-side classes (ad-symbiont.php, includes/class-*.php) are missing. That mismatch means the shipped files are partial assets/documentation rather than a finished plugin; an agent or user would need to generate server-side code to achieve the described purpose.
Instruction Scope
SKILL.md stays on topic: it points to internal docs and asks the agent to generate plugin code and save it into a workspace path. It does not instruct reading unrelated system files or exfiltrating data. The save path is a user workspace directory (not a system configuration location).
Install Mechanism
No install spec is provided (instruction-only), and included files are static assets and docs. Nothing in the package downloads or executes remote code during install — low install risk.
Credentials
No environment variables or external credentials are requested by the skill metadata. The references describe PA-API keys and associate tags, but these are expected to be configured in WordPress admin (plugin settings) and are not requested by the skill at install time. This is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It only instructs creating files in the agent workspace; no elevated persistence or privilege is requested.
What to consider before installing
This package contains frontend assets, block JavaScript, CSS and detailed specs, but it lacks the main PHP/server-side implementation the plugin promises. Before installing or running any generated plugin on a live site: (1) insist on or review the generated PHP files and includes (ad-symbiont.php, class-ads.php, class-link-detector.php, class-paapi.php) so you can verify sanitization, escaping, capability checks, and nonce handling; (2) confirm PA-API credential handling never logs or transmits keys to external endpoints and that AWS Signature V4 is implemented correctly client-side only when needed; (3) test the plugin on a staging site to ensure AJAX handlers (e.g., cache-clear) enforce nonces and manage capabilities; (4) verify affiliate tag behavior to avoid cloaking/link-masking that would violate policies; and (5) if you rely on the agent to generate missing backend code, request a full code review of the generated PHP before deployment. The package as-is is incomplete — treat it as a scaffold, not a ready-to-install plugin.

Like a lobster shell, security has layers — review code before you run it.

latestvk976dwem95x5dpg7tys9fxbw35824af1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments