Skill Dropshipping Fulfillment

This package implements the dropshipping workflow but has several red flags you should address before running it on real data: - Credentials and paths: The code expects WooCommerce and CJ credentials in local JSON files (woo-api.json, cj-api.json) but the registry metadata does not declare these. Confirm where you'll store credentials and put those files in a safe location. Prefer using environment-variable overrides to point paths to a controlled directory. - Default absolute paths: The runtime scripts default to /home/aladdin/*. That contradicts the SKILL.md examples and could cause the tool to read or overwrite files in an unrelated user's directory. Always set WOO_API_PATH, CJ_API_PATH, CJ_SELECTION_PATH, FULFILL_LOG_PATH, and REJECTION_LOG_PATH to safe paths before running. - Backfill behavior: rebuild-mapping.js can PUT updates to your WooCommerce store (backfilling SKUs). Run with --dry-run first and review the mapping output; only run live after verifying results. - Token persistence: The tool will refresh CJ access tokens and write them to cj-api.json. Ensure that file is secured (permissions) and located where you expect. - Test in isolation: Run the scripts in a disposable container or VM and use dry-run mode initially. Inspect the scripts line-by-line (they are small) or run them with network disabled to observe behavior. Consider creating throwaway API keys/accounts for initial tests. - If you need tighter security: require the vendor to declare required env vars/primary credential in metadata, remove hard-coded absolute defaults, and avoid writing tokens to predictable locations. Given the coherent functionality but the mismatches (undisclosed credential/file usage and risky defaults), treat this skill as suspicious and do not run it against production stores until you've corrected/configured paths and validated behavior in a safe environment.