WPClaw Lite (WordPress/WooCommerce connector)
v1.0.0Connects to a WooCommerce store via the WPClaw Connector plugin to fetch orders and products.
⭐ 1· 1.9k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name, README, SKILL.md, and scripts/index.js all describe a WooCommerce/WPClaw connector and the code implements exactly that (endpoints under /wp-json/wpclaw/v1, order/product lookup, and a status check). This is coherent with the declared purpose. However, registry metadata listed no required environment variables while both SKILL.md and the code require WPCLAW_STORE_URL and WPCLAW_STORE_SECRET, which is an inconsistency in packaging/metadata that should be resolved.
Instruction Scope
SKILL.md instructs only actions related to the connector (check_order, find_product, store_status). The code uses only the declared env vars and does not read other system files or unrelated credentials. One implementation detail: SKILL.md and README claim requests are HMAC-SHA256-signed; the code signs POST requests with X-WPClaw-Signature but performs an unsigned GET for the store_status endpoint — this may be intentional (public status endpoint) or an oversight. No instructions ask the agent to collect unrelated system data.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package includes package.json and README guidance to run npm install (axios dependency). That is a normal, low-to-moderate risk install pattern. No external, unusual download URLs or extract/install steps are present in the skill bundle.
Credentials
The code and SKILL.md require two environment variables (WPCLAW_STORE_URL and WPCLAW_STORE_SECRET) — this is appropriate for the purpose. However, the registry metadata declares no required env vars and no primary credential, creating a proportionality/packaging mismatch. The store secret is sensitive (it grants API access to the store) and the skill requests it; the registry should have declared this. Verify why the metadata omitted these requirements before provisioning secrets.
Persistence & Privilege
The skill is user-invocable, not always-included, and does not request elevated persistence or modify other skills/config. It doesn't persist additional credentials itself or request system-wide config changes. Autonomous invocation is allowed (platform default); nothing in the skill elevates privilege beyond normal operation.
What to consider before installing
This skill's behavior is consistent with a WooCommerce connector, but the package metadata omitted the environment variables that the code actually requires. Before installing: (1) Confirm the publisher and that the WordPress plugin (WPClaw Connector) on your store is genuine and audited; (2) only provide the WPCLAW_STORE_SECRET to trusted code and consider using a least-privilege/test store or rotated key for evaluation; (3) verify transport is HTTPS for WPCLAW_STORE_URL and that the plugin expects HMAC signatures as implemented; (4) ask the publisher to correct the registry metadata so required credentials are declared; (5) review the WP plugin server-side code (or test in staging) to ensure no unexpected endpoints or behaviors; and (6) run npm install in an isolated environment and inspect node_modules if you plan to execute the skill locally. The current inconsistencies suggest a packaging error or sloppy release process rather than clear malicious intent, but treat the store secret as sensitive until you validate the whole stack.Like a lobster shell, security has layers — review code before you run it.
latestvk976dypg93jqr80xcjfhhq6gjd80bbar
License
MIT-0
Free to use, modify, and redistribute. No attribution required.