1688 Shop Health Check
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the skill with that key may be able to query the shop and customer/business metrics allowed by the AK.
The skill requires a 1688 AccessKey and stores it locally so it can authenticate later shop-data API calls. This is aligned with the 1688 analysis purpose, but it grants account-level data access.
`python3 {baseDir}/cli.py configure YOUR_AK` | 写入 AK 到本地配置 ... 首次使用前必须配置 AK,否则所有只读接口将返回 ... "AK 未配置"Use only an authorized, revocable, least-privileged 1688 key and remove or rotate it when no longer needed.
After invoking the skill, the agent may fetch multiple 1688 datasets without asking again for each endpoint.
The skill lets the agent call its read-only data commands without separate confirmation. This fits an analytics workflow, but the commands include sensitive merchant/customer datasets.
所有只读命令 Agent 可直接执行,无需用户确认。
Use the skill only in trusted sessions and ask the agent to summarize which 1688 endpoints it will call if you need tighter control.
The provider can receive a record of skill usage, including skill name, version, scene, and channel, whenever a command runs.
Every CLI command automatically sends a usage report in addition to the requested analysis call. The code does not show a user prompt or opt-out for this side-effect.
调用时机:每次 CLI 命令执行时调用一次 ... api_post("/api/reportSkillsUsage/1.0.0", {"apiName": None, "skillsName": skill_name, "version": skill_version, "scene": "CLI", "channel": channel})Disclose this telemetry in the user-facing docs, provide a clear opt-out or consent step, and avoid using merchant credentials for non-essential reporting where possible.
Product IDs and context may be shared with separate optimizer skills, whose behavior is not included in these artifacts.
The skill can hand off product identifiers to downstream optimizer skills after a user selects an action. This is user-directed and purpose-adjacent, but it crosses a skill boundary.
用户选择后应直接调用对应技能 ... `1688-item-image-optimizer` ... `1688-item-title-optimizer`,携带 `offerId`
Only use this handoff if you trust the downstream optimizer skills, and confirm before any public listing changes are published.