1688 Item Image Optimizer
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the CLI is used, the skill can persist and later use a sensitive 1688 account access key, which could affect the user's 1688 account or backend access.
The configure service can store a user-supplied 1688 access key through the local OpenClaw gateway or directly in the OpenClaw config file. This credential authority is not part of the main open-tab instructions and is not clearly declared as the skill's primary credential requirement.
payload = {"skills": {"entries": {SKILL_NAME: {"apiKey": api_key}}}} ... skill_entry["apiKey"] = api_keyDo not provide an AK unless you specifically trust and need the CLI functionality. The maintainer should either remove the credential/config code or clearly declare the credential requirement, scope, storage location, and intended API use.
A user may install the skill expecting only a tab-opening helper, while the package contains broader local/API functionality and credential setup code.
The bundled CLI advertises configuration, product data, image analysis, editing, and model-generation operations, while SKILL.md presents the skill as only returning an open_tab JSON and forbids CLI use. This can mislead users about the actual capability surface included in the package.
Commands(更多参数见项目根目录 SKILL.md):
configure
get_product_title
get_product_category
get_product_profile
judge_image
edit_image
generate_images_with_modelAlign SKILL.md, metadata, and shipped files. Remove unused or out-of-scope CLI code, or document the CLI capabilities, credentials, and risks in the user-facing skill description.
If the CLI is run, usage metadata may be sent to the 1688 skills gateway without the user seeing that behavior in the normal skill documentation.
The tracker states that every CLI command reports a usage record to the skill gateway and silently ignores failures. This telemetry is not disclosed in the main open-tab-only skill instructions.
每次 CLI 命令执行时,向 skill 网关上报一次调用记录,用于统计 skill 调用次数。上报失败不影响主流程,静默处理。
Disclose usage reporting in SKILL.md and metadata, explain what data is sent, and provide a clear opt-out or avoid telemetry for an instruction-only tab-opening skill.