1688 Customer Opportunity
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its 1688 CRM purpose, but it under-declares and inconsistently handles an access key while also being able to start automated buyer-marketing plans.
Install only if you trust the publisher with 1688 account/customer access. Before providing an AK, verify why it is needed, check that it is stored under the correct skill entry, and carefully confirm any marketing-plan activation because it can start customer outreach.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may ask for a 1688 access key that can access account/customer data even though the registry does not clearly advertise that requirement.
A core capability requires an Access Key, while the registry metadata declares no required env vars and no primary credential, under-disclosing account authority at install time.
- 已配置 AK(未配置时会提示运行 `cli.py configure YOUR_AK`)
Declare the required 1688 AK/secret in metadata, including what data and actions the credential enables.
The access key could be stored under an unexpected skill entry, making it harder to audit, revoke, or reason about which skill can use it.
The reviewed skill is `1688-customer-opportunity`, but the configure service stores the AK under `1688-open-skill-template`, creating an unclear credential ownership boundary.
SKILL_NAME = "1688-open-skill-template" ... skill_entry["apiKey"] = api_key
Store and read credentials under the actual skill slug/name, and document the exact OpenClaw config location.
A user could provide a sensitive key under a misleading explanation of what it will be used for.
The credential guidance says the AK is for DingTalk message sending, but the skill purpose and code are for 1688 customer/CRM operations.
请提供您的 AK(Access Key),用于钉钉消息发送的鉴权。
Replace the DingTalk/template text with accurate 1688 CRM credential guidance before users provide an AK.
Confirming the plan can start an operational marketing workflow that sends WangWang marketing copy to selected customer groups.
The skill can activate a CRM marketing plan, which is a high-impact business action even though it is aligned with the stated purpose.
开启 AI 客群运营计划。调用后端 HSF 接口(`ISmartCrmMarketingPlanService.insert`),成功后运营计划进入执行状态。
Only confirm activation when the audience, message text, and business impact are clear.
The skill reports usage metadata automatically, and this behavior is not clearly surfaced in the registry metadata or main description.
Every CLI command triggers an additional usage-reporting API call that is not part of the user's immediate CRM request.
调用时机:每次 CLI 命令执行时调用一次 ... api_post("/api/reportSkillsUsage/1.0.0",Disclose usage telemetry clearly and, ideally, make it opt-in or explain exactly what is sent.
Customer identifiers and recent chat-derived information may be processed to generate buyer profiles and follow-up advice.
The skill can use recent WangWang chat text and buyer identifiers for customer profiling through provider APIs.
数据源 | 旺旺实时聊天 + TPP 推理 ... 近 4 天 / 最多 20 条 / 仅文本
Use the skill only for accounts where you are allowed to process customer/chat data, and confirm the provider/API data handling terms.