1688 Source Suppliers
ReviewAudited by ClawScan on May 10, 2026.
Overview
The supplier lookup behavior is mostly coherent, but the skill stores the 1688 access key under a different OpenClaw skill name, making credential scope unclear.
Install only if you trust this skill with your 1688 AK and are comfortable with it modifying OpenClaw configuration. Before using it, confirm why credentials are stored under `1688-shopkeeper`; if that is not an intended shared namespace, treat the skill as needing correction before installation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your 1688 access key may be saved under a different OpenClaw skill entry than the one you installed, which can cause credential sharing or configuration conflicts.
The skill is declared as `1688-source-suppliers`, but its configure code writes the user's AK under `1688-shopkeeper`. That creates an unclear credential boundary and could overwrite or expose credentials in another skill namespace.
SKILL_NAME = "1688-shopkeeper"
...
payload = {
"skills": {"entries": {SKILL_NAME: {"apiKey": api_key}}}
}
...
skill_entry["apiKey"] = api_keyVerify that `1688-shopkeeper` is an intentional shared namespace. If not, update the code to store and read credentials under `1688-source-suppliers` or a clearly documented scoped secret.
Running the configure command changes your OpenClaw configuration and persists the AK for future sessions.
The configure command can persistently modify OpenClaw configuration via the local gateway or direct file write. This is purpose-aligned for storing an AK, but it is a high-impact local configuration change.
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)
...
with open(CONFIG_PATH, "w", encoding="utf-8") as f:
json.dump(config, f, ensure_ascii=False, indent=2)Only run `configure` when you intend to save the AK, and review the resulting OpenClaw config if you need strict control over stored credentials.
A future compatible version of `requests` could be installed instead of the version the author tested.
The dependency is specified with a lower-bound version rather than an exact pin. This is common for simple HTTP integrations, but it makes installs less reproducible.
requests>=2.31.0
For stricter reproducibility, pin dependency versions or install in an isolated environment.