design ecommerce

The skill bundle contains significant command injection vulnerabilities in `scripts/run_command.sh`. The script uses insecure shell variable expansion to pass user-controlled data (such as the action name and input JSON) directly into Python code executed via `python3 -c` (e.g., `'''${INPUT_JSON}'''`), which could allow an attacker to execute arbitrary Python or shell commands. While the skill's stated purpose of ecommerce image processing via the Meitu-hosted Designkit API (openclaw-designkit-api.meitu.com) appears legitimate and includes security best practices like API key redaction in logs, these implementation flaws represent a high-risk surface for exploitation.