Dropship Product Pipeline
Security checks across malware telemetry and agentic risk
Overview
The skill’s ecommerce workflow is coherent, but it asks for powerful store and supplier credentials while relying on a missing, unreviewed Node pipeline and limited publishing safeguards.
Only install or use this after you can inspect the actual pipeline.js implementation. Start with dry-run or a test store, use limited-scope credentials, confirm every product and supplier mapping before publishing or enabling fulfillment, and rotate any credentials used during testing.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may be asked to run or locate unreviewed code for a workflow that can access store credentials and publish products.
The documented entry point is a Node script, but the supplied package contains only SKILL.md and no install spec or script files, so the implementation that would handle credentials and publish products is absent from review.
node scripts/pipeline.js --keyword "ring light" --sell-price 89
Require the publisher to include the actual pipeline code, dependency manifests, and install instructions; do not use production credentials until the runnable implementation is reviewed.
Supplying these credentials could allow product creation, media upload, price/SKU changes, and supplier/account actions if the underlying script is run.
These credentials can grant supplier, WooCommerce, and WordPress account access, but the registry metadata says there are no required env vars or primary credentials and the skill does not define least-privilege scopes.
CJ_ACCESS_TOKEN ... WOO_KEY ... WOO_SECRET ... WP_USER ... WP_APP_PASS
Use a test store first, create least-privileged WooCommerce and WordPress credentials, avoid admin-level accounts where possible, rotate keys after testing, and ensure credential requirements are declared in metadata.
An incorrect product, price, image, or SKU could be published to a live store without a built-in approval checkpoint.
Publishing products and setting prices are high-impact business mutations; the skill documents dry-run as optional but does not require a review or confirmation step before the live publish path.
WooCommerce Publish — Upload hero + gallery images, create product, set price/SKU.
Make dry-run or draft-product creation the default, add an explicit user approval step before publishing, and document rollback/removal steps for created products and media.
A bad supplier mapping could later cause fulfillment errors or wrong supplier selections.
The skill intentionally writes a persistent mapping used by another fulfillment automation; this is disclosed, but mistakes in that file can propagate to downstream order fulfillment.
Add product to your `cj-supplier-selection.json` for auto-fulfillment via `skill-dropshipping-fulfillment`.
Review the generated CJ mapping before enabling auto-fulfillment and keep a backup of the previous mapping file.