Latest release: v0.1.0Download zip
Capabilities
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The bundled plugin is coherent with an AliMerce store assistant, but SKILL.md only says "alimerce" while the plugin exposes product, order, user, and customer-memory administration.
Instruction Scope
The code exposes write-capable tools such as product creation and product updates for price, inventory, and status. Some very high-risk cases are blocked, but many business-impacting mutations are not clearly scoped, reversible, or approval-gated.
Install Mechanism
No remote installer, shell setup, or package-install step is shown; the reviewed behavior is in the bundled plugin files.
Credentials
Using an AliMerce API URL/token is expected for a backend connector, but registry requirements say no env vars or primary credential while the code reads ALIMERCE_API_URL and ALIMERCE_API_TOKEN.
Persistence & Privilege
The plugin activates on startup to register tools, but the artifacts do not show a hidden background loop, scheduler, self-propagation, or local persistence beyond normal plugin availability.
Scan Findings in Context
[suspicious.env_credential_access] expected: index.js reads ALIMERCE_API_URL and ALIMERCE_API_TOKEN and sends the token as an Authorization bearer token to the configured AliMerce API. That is expected for this integration, but it is under-declared in the registry metadata and should be least-privilege.
What to consider before installing
Install only if you intend to give OpenClaw access to an AliMerce backend. Use a least-privileged token, verify the API URL, test against staging first, and require explicit approval/audit logging for product, order, user, and customer-preference changes.index.js:10
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.