Skill Dropshipping Sourcing
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: skill-dropshipping-sourcing Version: 1.0.2 The skill is classified as suspicious due to a path traversal vulnerability in `scripts/source.js`. The script uses the `--out` argument directly in `fs.writeFileSync(args.out, ...)`, which could allow an attacker or a prompt-injected agent to write to arbitrary file paths (e.g., `../../etc/passwd`) instead of the intended local output file. While the overall intent of the skill (CJ Dropshipping API interaction) appears benign, this vulnerability presents a significant risk of unauthorized file modification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your CJ API key and access token to query CJ services, and those credentials are stored in a local JSON file.
The skill requires local CJ API credentials and a configurable API base URL. This is disclosed and aligned with the CJ integration, but it is sensitive account authority.
Config: `./cj-api.json` - `apiKey`, `baseUrl`, `accessToken`, `tokenExpiry`
Use a CJ key intended for this workflow, keep cj-api.json private, and confirm baseUrl points to the legitimate CJ API endpoint before running the scripts.
The skill may not run until Node.js and axios are available, and users must ensure any manually installed dependency comes from a trusted source.
The scripts depend on axios, while the supplied metadata says there is no install spec and no required binaries. This is an undeclared dependency gap rather than evidence of malicious behavior.
const axios = require('axios');Install dependencies from trusted package sources, prefer pinned versions, and consider adding an explicit install specification or package manifest.