Skill Dropshipping Sourcing
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—query CJ Dropshipping using local CJ credentials—but users should protect the local credential file and note the undeclared Node/axios dependency.
Before installing, create and protect cj-api.json carefully, verify that baseUrl is the real CJ Dropshipping API endpoint, and ensure Node.js plus a trusted axios installation are available. The included code is straightforward and purpose-aligned, but it does handle live CJ API credentials.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your CJ API key and access token to query CJ services, and those credentials are stored in a local JSON file.
The skill requires local CJ API credentials and a configurable API base URL. This is disclosed and aligned with the CJ integration, but it is sensitive account authority.
Config: `./cj-api.json` - `apiKey`, `baseUrl`, `accessToken`, `tokenExpiry`
Use a CJ key intended for this workflow, keep cj-api.json private, and confirm baseUrl points to the legitimate CJ API endpoint before running the scripts.
The skill may not run until Node.js and axios are available, and users must ensure any manually installed dependency comes from a trusted source.
The scripts depend on axios, while the supplied metadata says there is no install spec and no required binaries. This is an undeclared dependency gap rather than evidence of malicious behavior.
const axios = require('axios');Install dependencies from trusted package sources, prefer pinned versions, and consider adding an explicit install specification or package manifest.