📦 WPClaw Lite — WordPress 连接器
v1.0.0WordPress/WooCommerce 连接器 Lite 版工具。
1· 1.9k·3 当前·3 累计
by 下载技能包
最后更新
2026/2/27
安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and SKILL.md largely match its stated WooCommerce connector purpose, but packaging/metadata inconsistencies (missing required env vars in registry metadata vs. SKILL.md/code) and a few small implementation discrepancies mean you should verify details before installing.
评估建议
This skill's behavior is consistent with a WooCommerce connector, but the package metadata omitted the environment variables that the code actually requires. Before installing: (1) Confirm the publisher and that the WordPress plugin (WPClaw Connector) on your store is genuine and audited; (2) only provide the WPCLAW_STORE_SECRET to trusted code and consider using a least-privilege/test store or rotated key for evaluation; (3) verify transport is HTTPS for WPCLAW_STORE_URL and that the plugin exp...详细分析 ▾
ℹ 用途与能力
The skill name, README, SKILL.md, and scripts/index.js all describe a WooCommerce/WPClaw connector and the code implements exactly that (endpoints under /wp-json/wpclaw/v1, order/product lookup, and a status check). This is coherent with the declared purpose. However, registry metadata listed no required environment variables while both SKILL.md and the code require WPCLAW_STORE_URL and WPCLAW_STORE_SECRET, which is an inconsistency in packaging/metadata that should be resolved.
ℹ 指令范围
SKILL.md instructs only actions related to the connector (check_order, find_product, store_status). The code uses only the declared env vars and does not read other system files or unrelated credentials. One implementation detail: SKILL.md and README claim requests are HMAC-SHA256-signed; the code signs POST requests with X-WPClaw-Signature but performs an unsigned GET for the store_status endpoint — this may be intentional (public status endpoint) or an oversight. No instructions ask the agent to collect unrelated system data.
ℹ 安装机制
There is no formal install spec in the registry (instruction-only), but the package includes package.json and README guidance to run npm install (axios dependency). That is a normal, low-to-moderate risk install pattern. No external, unusual download URLs or extract/install steps are present in the skill bundle.
⚠ 凭证需求
The code and SKILL.md require two environment variables (WPCLAW_STORE_URL and WPCLAW_STORE_SECRET) — this is appropriate for the purpose. However, the registry metadata declares no required env vars and no primary credential, creating a proportionality/packaging mismatch. The store secret is sensitive (it grants API access to the store) and the skill requests it; the registry should have declared this. Verify why the metadata omitted these requirements before provisioning secrets.
✓ 持久化与权限
The skill is user-invocable, not always-included, and does not request elevated persistence or modify other skills/config. It doesn't persist additional credentials itself or request system-wide config changes. Autonomous invocation is allowed (platform default); nothing in the skill elevates privilege beyond normal operation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/1
wpclaw-lite 1.0.0 - Initial release as "WPClaw Connector" skill. - Connects to WooCommerce stores via the WPClaw Connector plugin. - Supports fetching order details, searching for products, and checking store connection status. - Requires `WPCLAW_STORE_URL` and `WPCLAW_STORE_SECRET` environment variables for configuration.
● 无害
安装命令
点击复制官方npx clawhub@latest install wpclaw-lite
镜像加速npx clawhub@latest install wpclaw-lite --registry https://cn.longxiaskill.com