Latest release: v0.1.4Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The plugin registers tools for AliMerce products, users, orders, and customer preferences, which aligns with the description of a商城/ecommerce AI assistant for backend management. It does not request unrelated cloud credentials, shell access, or system files.
Instruction Scope
The provided SKILL.md content is actually package.json-style metadata rather than human-readable runtime instructions. That is a packaging/documentation issue, but the visible plugin code stays within the AliMerce ecommerce API scope and does not instruct the agent to read unrelated files, environment variables, or system state.
Install Mechanism
There is no separate install spec or arbitrary download, which is good. However, package.json declares npm dependencies such as @modelcontextprotocol/sdk, @sinclair/typebox, and axios even though the visible compiled code appears to use OpenClaw's plugin SDK and native fetch instead. This looks like unused or template leftover dependency bloat rather than clear malicious behavior.
Credentials
No environment variables or config paths are required. The plugin uses OpenClaw plugin configuration for apiUrl and apiToken, which is proportionate for connecting to an AliMerce backend API. The token is only sent as a Bearer token to the configured AliMerce API URL.
Persistence & Privilege
The registry flag always is false. The plugin manifest activates on startup to register its tools, which is normal for an enabled plugin and does not appear to modify other skills or system-wide settings.
Assessment
Before installing, confirm that the configured apiUrl is your own trusted AliMerce backend, because the plugin can read and modify store data such as products, users, orders, and customer preferences through that API. Also note that the code shown was truncated, so this assessment is based on the visible source and metadata; reviewing the full package source would increase confidence.