1688 Sourcing Inquiry
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s 1688 inquiry purpose is mostly coherent, but it exposes configured credentials in command output and includes under-documented OAuth/token and mismatched DingTalk credential flows.
Review carefully before installing. The core inquiry feature appears aligned with 1688 sourcing, but do not use it until the publisher masks AK/token outputs, removes or documents the extra OAuth/token commands, and fixes the misleading DingTalk credential instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A saved 1688 access key could be revealed in chat output or logs when checking configuration.
The status path prints the full configured AK into markdown and JSON data, which can expose a credential to the agent transcript, logs, or downstream consumers.
markdown=f"AK 已配置。\n\n**AK**: `{existing_ak}`", data={"configured": True, "ak": existing_ak}Mask the AK in all outputs, return only a configured/not-configured status, and keep the secret only in a dedicated secret store.
An OAuth access token for the user’s 1688 account could be surfaced outside the intended internal auth flow.
The CLI includes a `get_token` command that returns a raw access token in JSON output, while SKILL.md only documents `procurement` and `configure` for AK-based sourcing.
"access_token": token_check["access_token"]
Remove or disable user-facing raw token output, document any required OAuth flow clearly, and provide scoped internal token use without printing secrets.
Users may be confused or misled about why they are providing a sensitive credential and what service it authorizes.
The configure guide asks for an AK for DingTalk message authentication, which conflicts with the skill’s stated 1688 procurement-sourcing purpose.
请提供您的 AK(Access Key),用于钉钉消息发送的鉴权。
Remove template/DingTalk references and accurately explain that the AK is for 1688 sourcing API access.
Using the skill can create a procurement inquiry on the 1688 platform rather than merely searching or drafting.
The skill clearly discloses that `procurement` is a write/create operation and allows direct execution once the required fields are known.
| **写入** | procurement | 当商品名称、数量、需求明确时直接执行;信息缺失时先追问补齐 |
Only use it when you truly want to publish or create an inquiry; for safer UX, consider adding a final confirmation step before submission.