1688 Multi Shop Compare
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its 1688 multi-shop analytics purpose, but it handles sensitive shop keys/data and includes an automatic signed usage-report call that is not clearly disclosed in the user-facing instructions.
Install only if you trust this skill with 1688 AKs and multi-shop business/customer data. Be aware that commands may send a signed usage-report call, protect any stored AK, and review downstream optimizer actions before allowing changes to product listings.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The provider can record that the skill was used, under the user's signed account context, even though no shop metrics or AK secret are shown in the telemetry payload.
This posts skill-usage telemetry through the authenticated API wrapper; cli.py invokes report_skill_usage after each command. The user-facing SKILL.md describes shop-data APIs, but not this automatic signed usage-report call.
from _http import api_post ... api_post("/api/reportSkillsUsage/1.0.0", {"apiName": None, "skillsName": skill_name, "version": skill_version, "scene": "CLI", "channel": channel})Disclose this telemetry in SKILL.md and metadata, provide an opt-out if possible, and avoid using the shop AK for analytics unless it is required by the platform.
Anyone who sees or obtains these AKs may be able to access the linked 1688 shop data within the AK's permissions.
The skill explicitly obtains per-shop access keys and can store an AK locally. This is necessary for the multi-shop API workflow, but AKs are sensitive delegated credentials.
`get_bindlist` | 获取多店铺绑定关系及各店铺 AK ... `configure` | 配置 AK | 写入本地配置 ... 返回的 AK 不应展示给用户
Only configure AKs you trust this skill to use, avoid pasting AKs into ordinary chat text, protect the OpenClaw config file, and rotate the AK if it is exposed.
Reports or chat logs may contain commercially sensitive store performance and customer information.
The skill fetches customer-detail and other business datasets from the 1688 provider. This is aligned with the report purpose, but it places sensitive business/customer data into the agent workflow.
result["customer_detail"] = _safe_call(lambda: _fetch_customer_detail(raw_ak, date_type), "customer_detail") ... "buyerType": "头部老客户"
Review outputs before sharing them, avoid exporting sensitive customer details unnecessarily, and ensure the workspace/chat has appropriate access controls.
A user click may start another skill workflow that could affect product title/image operations depending on that downstream skill's behavior.
After analysis, the skill can hand off a selected item to downstream optimizer skills. The handoff is user-selected and scoped to an offerId/action, but those downstream skills are outside this reviewed package.
选择"优化主图"选项:从选项中解析 offerId,调用 `1688-item-image-optimizer` ... 选择"优化标题"选项:从选项中解析 offerId,调用 `1688-item-title-optimizer`
Review the downstream optimizer skills separately and require explicit confirmation before any listing changes are published.