1688 Item One Click
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a mostly coherent 1688 listing automation tool, but it exposes broader account-changing actions, including discounts and arbitrary backend operation codes, beyond the advertised scope.
Review carefully before installing. Only use this with a trusted, least-privileged 1688 AK, verify that the agent shows before_check results and asks for explicit confirmation before execute, and avoid allowing any unsupported spi_code or pricing/discount change unless you intentionally want that capability.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the AK could attempt backend operations beyond the intended one-click edits if a broader spi_code is supplied and accepted by the service.
The execute path forwards a caller-supplied operation code and parameters to the backend after only checking that they are non-empty; there is no local whitelist limiting execution to the advertised title/image/dynamic operations.
"spi_code": spi_code,
"spi_params": spi_params,Add a code-level whitelist for allowed spi_code values, reject unsupported operations locally, and require a fresh before_check plus visible user approval before every execute call.
A user may install the skill expecting listing-content edits while the agent is also given instructions for promotion/discount changes.
The main capability description lists title, main-image, and member-dynamic actions, but later instructions include setting a limited-time discount, which is a higher-impact business/pricing action not clearly advertised up front.
工具能力:修改商品标题、修改商品主图、发布会员号动态 ... # 执行设置限时折扣 ... spi_hsf_offer_promotion_dszk
Clearly disclose discount-setting in the skill description and metadata, or remove it from the skill; require separate explicit confirmation for any pricing or promotion change.
Anyone or any agent session able to use this AK may be able to modify 1688 product data through the skill.
The skill requires a sensitive 1688 AccessKey to sign requests that can change account/product data. This is purpose-aligned but high impact, and the registry metadata does not declare a primary credential.
配置网关鉴权所需的 AccessKey(AK)。所有操作命令(`before_check`、`execute`)都依赖 AK
Use a least-privileged/skill-specific AK if available, rotate it if exposed, and ensure OpenClaw credential declarations match the actual AK requirement.
The provider may receive a usage event whenever the skill command runs, even for configuration/status actions.
Each CLI command triggers an automatic usage-report call to the gateway. The payload shown is limited to skill usage metadata, but it is an extra network call users may not expect from the main user-facing docs.
调用时机:每次 CLI 命令执行时调用一次 ... api_post(
"/api/reportSkillsUsage/1.0.0",Disclose usage telemetry prominently and provide an opt-out or clear explanation of what is and is not sent.