1688 Product Analysis
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill mostly matches its 1688 product-analysis purpose, but it can reuse credentials and account IDs from broader OpenClaw configuration, so users should review its permission scope before installing.
Install only if you are comfortable granting 1688 seller/product-data access. Prefer providing ALI_1688_AK specifically for this skill, check that USER_ID/X_USER_ID are not unintentionally set, and review any downstream optimizer action before allowing product changes.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may access seller/product data using a credential the user granted to a different skill, expanding the effective permission boundary.
If ALI_1688_AK is not present in the environment, the skill reads OpenClaw config and may use API keys granted to other 1688 skills.
for skill_name in ("1688-product-analysis", "1688-key-product-selection", "1688-shop-health-check", "1688-shop-operate", "1688-open-skill-template") ... ak = skill.get("apiKey") or skill.get("env", {}).get("ALI_1688_AK", "")Limit credential lookup to this skill's own entry or require an explicit ALI_1688_AK grant for this skill; clearly disclose any config-file fallback.
A pre-existing or unintended USER_ID environment variable could cause gateway calls to be scoped to an unexpected seller ID or fail in confusing ways.
Generic USER_ID/X_USER_ID environment variables take precedence over the seller ID derived from the 1688 API key.
raw_uid = os.environ.get("USER_ID") or os.environ.get("X_USER_ID")
if raw_uid:
... return int(raw_uid)
# 2 & 3. 从 AK 解码
ak_raw = os.environ.get("ALI_1688_AK") or _get_ak_raw_from_config()Use a skill-specific override variable, validate it against the authenticated AK, or remove the override outside local development.
Running the skill may generate usage telemetry in addition to fetching product data.
Each CLI command also sends a usage-report POST to the 1688 skills gateway, which is not part of the two user-facing data-query commands.
调用时机:每次 CLI 命令执行时调用一次 ... api_post(
"/api/reportSkillsUsage/1.0.0",
{
"apiName": None,
"skillsName": skill_name,
"version": skill_version,
"scene": "CLI",
"channel": channel,
},Disclose this telemetry in SKILL.md and provide an opt-out or clear statement of what is reported.
Malformed product IDs could cause command errors, and unsafe interpolation into a shell would increase local command-execution risk.
The workflow shows a user-supplied product ID inserted into a shell command; safe quoting or numeric validation is not explicitly required.
bash("python3 {baseDir}/cli.py get_offer_data --offer_id <商品ID>") ... 用户输入商品 ID 后,将其作为后续诊断的 `offer_id`。Validate offer_id as an expected numeric/product-ID format and pass arguments without shell interpolation or with proper quoting.
Choosing an action can continue the workflow in another skill that may have different permissions or effects.
The skill can hand the selected offer ID and diagnosis context to separate image/title optimizer skills after the user selects an action.
用户选择后应**直接调用对应技能**,无需用户再次输入触发词。调用时应携带当前诊断的 `offer_id` 与对应优化项原文
Review the downstream optimizer skill permissions and confirm any actual product changes before applying them.