Is woocommerce safe?

https://clawhub.ai/byungkyu/woocommerce

72
CAUTION

This skill is a WooCommerce REST API integration that routes all e-commerce traffic through Maton's third-party proxy (gateway.maton.ai), giving Maton full access to customer PII, orders, and store configuration. While no overtly malicious behavior was detected during installation, the skill teaches the agent destructive operations without confirmation guardrails and establishes inline code execution patterns that expand the attack surface for prompt injection.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH All API traffic routed through third-party proxy -25

Every API call is proxied through gateway.maton.ai rather than connecting directly to the user's WooCommerce store. This gives Maton full visibility into all e-commerce data including customer personal information, order details, payment methods, and store configuration. Users must trust Maton as a data processor with no transparency into their data handling practices.

HIGH Skill teaches agent destructive operations without guardrails -25

The skill documents numerous destructive API endpoints (DELETE products, DELETE orders, DELETE customers, batch deletes, refund processing) without any instruction to confirm with the user before executing. An attacker could use prompt injection in product names, order notes, or customer fields to trick the agent into executing destructive operations.

MEDIUM Cross-skill reference enables chaining attacks -13

The skill description explicitly references another skill by URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could be used to social-engineer agents into installing additional skills, expanding the attack surface.

MEDIUM Webhook creation allows arbitrary data exfiltration endpoints -10

The skill teaches the agent to create webhooks with arbitrary delivery_url values. A prompt injection attack or social engineering could cause the agent to create webhooks that send all order/customer/product events to an attacker-controlled server.

MEDIUM Inline Python execution patterns in SKILL.md -15

The skill provides multiple Python heredoc examples that the agent is expected to execute directly. While these are API documentation examples rather than malicious payloads, they establish a pattern of shell-based code execution that could be exploited through prompt injection in API responses.

MEDIUM Environment variable exfiltration risk via shell execution -15

The Python code examples access os.environ['MATON_API_KEY'] and send it to external servers. If the agent executes modified versions of these commands (via prompt injection in API responses), other environment variables could be exfiltrated.

LOW Shared API key across skill ecosystem expands blast radius -20

MATON_API_KEY appears to be shared across multiple Maton skills (WooCommerce, api-gateway, and potentially others). Compromise of this single key would grant access to all connected services simultaneously.

LOW AWS credentials file accessed during installation -5

The filesystem monitoring shows /home/oc-exec/.aws/credentials was opened during the clone phase. This appears to be from the OpenClaw agent runtime rather than the skill itself, but warrants noting.

INFO Legitimate WooCommerce API wrapper with standard functionality -5

The skill is a straightforward WooCommerce REST API integration that proxies through Maton's gateway for OAuth management. The functionality is consistent with its stated purpose. The primary risk is the third-party proxy pattern rather than any overtly malicious behavior.