1688-product-search
v1.0.31688商品搜索SKILL:提供完整的1688商品搜索能力,包括类目查询、关键词搜索、图片搜索、商品详情、相关性商品、拉取货盘底池等9个核心接口。 支持多语言搜索和商品推荐,使用1688开放平台官方API,统一鉴权,Token全局缓存共享。
⭐ 1· 296·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, and the included Python scripts all implement 1688 product search, image search, and related endpoints and require 1688 API credentials (AppKey/AppSecret/refresh_token). No unrelated cloud providers or unrelated credentials are requested.
Instruction Scope
Runtime instructions and scripts perform expected actions: read 1688 credentials from environment, call 1688 APIs, download user-supplied image URLs, compress images, upload them to 1688, and write temporary files. These behaviors are consistent with the stated purpose, but the skill will download arbitrary image URLs (from user input) and write temp files and a token cache to disk — the documentation suggests a different token cache path than the code actually uses.
Install Mechanism
This is instruction-and-code-only with no install spec. No external/opaque download/install steps are present in the manifest, so nothing is fetched from untrusted URLs at install time.
Credentials
The skill requires ALI1688_APP_KEY, ALI1688_APP_SECRET, and ALI1688_REFRESH_TOKEN (and optionally accepts ALI1688_ACCESS_TOKEN). These credentials are appropriate and expected for calling the 1688 API; no unrelated secrets are requested. Note: the registry summary earlier claimed 'no required env vars', which contradicts SKILL.md.
Persistence & Privilege
The skill writes a shared token cache file to the user's home path: PATH = ~/.openclaw/workspace/skills/.1688_token_cache.json (as implemented in the auth modules). SKILL.md mentions a different relative path (skills/.1688_token_cache.json). The skill is not marked 'always: true' and does not modify other skills, but the shared cache file means multiple 1688-related skills will reuse the same token storage — consider whether that sharing and the home-directory write are acceptable.
Assessment
This skill appears to implement the 1688 product-search functionality it claims and only needs 1688 credentials. Before installing: 1) Verify you are comfortable providing ALI1688_APP_KEY/ALI1688_APP_SECRET and a refresh token to the environment (these are necessary). 2) Note the skill writes a token cache to your home directory (~/.openclaw/workspace/skills/.1688_token_cache.json) — confirm you accept a shared cache file and its location; SKILL.md and the code disagree on the cache path. 3) The skill downloads user-supplied image URLs and writes temporary files (/tmp and temp dirs) — avoid providing URLs you do not trust. 4) smart_recommend.py uses subprocess.run to call local scripts (product_search.py); this runs code included with the skill but review those files if you need higher assurance. 5) Registry metadata in the manifest (which showed no required env vars) conflicts with SKILL.md; prefer the values declared in SKILL.md and the scripts. If you need higher assurance, run the scripts in a sandboxed environment, inspect the files locally, and consider using a dedicated 1688 service account with limited permissions.Like a lobster shell, security has layers — review code before you run it.
latestvk976vdn5g6e1qxa6dhn155z5xn83fyv7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.