ClawHub

1688 Source Suppliers

AdvisoryAudited by Static analysis on May 7, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernMedium Confidence
ASI03: Identity and Privilege Abuse
What this means

Your 1688 access key may be saved under a different OpenClaw skill entry than the one you installed, which can cause credential sharing or configuration conflicts.

Why it was flagged

The skill is declared as `1688-source-suppliers`, but its configure code writes the user's AK under `1688-shopkeeper`. That creates an unclear credential boundary and could overwrite or expose credentials in another skill namespace.

Skill content
SKILL_NAME = "1688-shopkeeper"
...
payload = {
  "skills": {"entries": {SKILL_NAME: {"apiKey": api_key}}}
}
...
skill_entry["apiKey"] = api_key
Recommendation

Verify that `1688-shopkeeper` is an intentional shared namespace. If not, update the code to store and read credentials under `1688-source-suppliers` or a clearly documented scoped secret.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

Running the configure command changes your OpenClaw configuration and persists the AK for future sessions.

Why it was flagged

The configure command can persistently modify OpenClaw configuration via the local gateway or direct file write. This is purpose-aligned for storing an AK, but it is a high-impact local configuration change.

Skill content
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)
...
with open(CONFIG_PATH, "w", encoding="utf-8") as f:
    json.dump(config, f, ensure_ascii=False, indent=2)
Recommendation

Only run `configure` when you intend to save the AK, and review the resulting OpenClaw config if you need strict control over stored credentials.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

A future compatible version of `requests` could be installed instead of the version the author tested.

Why it was flagged

The dependency is specified with a lower-bound version rather than an exact pin. This is common for simple HTTP integrations, but it makes installs less reproducible.

Skill content
requests>=2.31.0
Recommendation

For stricter reproducibility, pin dependency versions or install in an isolated environment.