Dropship Product Pipeline
v1.0.0End-to-end dropship product lifecycle pipeline. CJ Dropshipping sourcing → margin check → Flux Kontext AI hero image → WooCommerce publish → CJ supplier mapp...
⭐ 0· 278·2 current·2 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes CJ Dropshipping → image generation (Flux Kontext / OpenAI) → WooCommerce/WordPress publishing which coherently requires CJ, FAL/OPENAI, WooCommerce, and WP credentials. However, the registry metadata above the SKILL.md lists no required env vars or binaries while SKILL.md lists many — this mismatch is unexpected and reduces trust.
Instruction Scope
The instructions tell the agent/user to run node scripts (node scripts/pipeline.js) that are not included in the skill bundle. The pipeline will send real CJ product photos to third-party image-generation services (Flux Kontext and OpenAI) and will publish to WooCommerce/WordPress. That’s consistent with the stated purpose but raises data-exfiltration and privacy considerations — product images and product metadata will be transmitted to external AI services. The SKILL.md also references a local cj-supplier-selection.json file and writing pipeline-result-{slug}.json, so you must review any script that implements those behaviors before running.
Install Mechanism
No install spec (instruction-only) reduces installation risk. However, the skill requires node and an unspecified scripts/pipeline.js that is not provided in the bundle — the instructions assume you have or will place code on disk. That gap is suspicious: either the skill is only documentation for a separate code repo, or it expects you to obtain/run external code not reviewed here.
Credentials
The SKILL.md requests multiple secrets (FAL_KEY, OPENAI_API_KEY, CJ_ACCESS_TOKEN, WOO_URL/WOO_KEY/WOO_SECRET, WP_URL/WP_USER/WP_APP_PASS) that are proportional to the described pipeline. Requiring both Flux Kontext and OpenAI keys is explained (primary + fallback). The registry metadata's omission of these env vars is an inconsistency to resolve before trusting the skill. Ensure keys are scoped/limited (read-only or limited-scope API keys) where possible.
Persistence & Privilege
The skill does not request always:true and has no install that would grant persistent privileged presence. The SKILL.md indicates outputs written to local files (hero-*.jpg, pipeline-result-*.json) which is normal for a pipeline. There is no evidence here the skill modifies other skills or system-wide agent settings.
What to consider before installing
Do not run unknown node scripts referenced by this SKILL.md without inspecting them first. The SKILL.md lists many secrets (CJ, WooCommerce, WordPress, Flux Kontext, OpenAI) and will transmit product photos/metadata to external AI services — consider privacy and IP implications. Resolve the metadata mismatch: the registry claims no required envs/binaries but SKILL.md requires node and many keys. Ask the publisher for the pipeline code (scripts/pipeline.js) and review it line-by-line (or run it in an isolated test environment) before supplying real credentials. If you proceed, create least-privilege API keys (restrict to needed scopes and test with a dry-run), and prefer non-production stores/accounts for initial testing.Like a lobster shell, security has layers — review code before you run it.
latestvk97cm61wez17d0sqqsq3nbvz9s82bhqr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.