Skill Dropshipping Fulfillment
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its dropshipping purpose, but it can place real supplier orders and change WooCommerce data using local credentials with limited safeguards.
Install only if you are comfortable giving it WooCommerce and CJ API access. Set explicit credential paths, use least-privilege keys, run dry-run first, process one order at a time until verified, and do not run rebuild-mapping live unless you intend to let it update WooCommerce SKUs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the default command can place real supplier orders, send customer shipping details to CJ, and change store order state.
The documented live command processes all processing orders and performs external order creation plus WooCommerce status changes; dry-run is optional rather than enforced before high-impact actions.
Submits matched items to CJ API as a dropship order
4. Updates WooCommerce order status to `on-hold` ...
# Fulfill all processing orders
node {baseDir}/scripts/fulfill.jsRun dry-run first, prefer --order for a specific order, and require explicit human approval before live bulk fulfillment.
A mapping rebuild could alter product catalog SKUs, affecting inventory, fulfillment, integrations, or storefront operations.
The rebuild script is not just a local mapping generator; in live mode it writes SKU changes back to WooCommerce products and variations.
4. Backfills SKUs on WooCommerce products/variations if missing ... if (!variation.sku && sku && !DRY_RUN) { ... await wooPut(`/products/${product.id}/variations/${variation.id}`, { sku }); }Make SKU backfill opt-in with a clear --apply flag, document it prominently, and back up or review affected products before running live.
The skill may use whichever WooCommerce/CJ credentials are present at those paths, making account scope and authority unclear.
The main fulfillment script reads high-impact WooCommerce and CJ credentials from fixed local paths unless overridden, while the registry metadata declares no credentials or required config paths.
const WOO_API_PATH = process.env.WOO_API_PATH || '/home/aladdin/woo-api.json'; const CJ_API_PATH = process.env.CJ_API_PATH || '/home/aladdin/cj-api.json';
Declare the credential requirements, require explicit credential paths, avoid hardcoded home-directory defaults, and use least-privilege WooCommerce API keys.
Users have less context for verifying who maintains the skill and how dependencies should be installed.
The artifact includes Node package files, but provenance and install guidance are limited; the lockfile reduces dependency ambiguity, so this is a notice rather than a primary concern.
Source: unknown Homepage: none Install specifications No install spec — this is an instruction-only skill.
Prefer a published source repository, clear install instructions, and reviewed package-lock dependencies before running.