Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
query-1688-product-detail
v1.0.1Query 1688 cross-border product details via AlphaShop API using productId extracted from URL or provided directly. **MUST be used for any user request involv...
⭐ 0· 172·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to query 1688 product details via the AlphaShop API — that purpose matches the included code and network calls. However, the SKILL.md and README insist configuration is via skill entries using fields named apiKey/secretKey, while the Python code actually reads ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY from environment variables. Registry metadata also lists no required env vars. This mismatch between claimed configuration surface and actual credential inputs is disproportionate and confusing.
Instruction Scope
SKILL.md instructs the agent to always use this skill for any 1688 product lookup and to prompt the user for keys if missing. The script instead exits with errors if the keys are not set (no interactive prompt). The SKILL.md also refers to storing keys in skill entries (apiKey/secretKey) but the runtime code looks at environment variables; this divergence means the runtime instructions the agent will actually follow are unclear and may cause failures or accidental disclosure if users put secrets in the wrong place.
Install Mechanism
There is no install spec (instruction-only install), which reduces installation risk. The package includes a requirements.txt (requests, PyJWT) — expected for the Python script. Nothing in the install footprint suggests downloads from untrusted URLs or arbitrary extracted archives.
Credentials
The skill effectively requires two secrets (AlphaShop access and secret keys), which is reasonable for an API client, but the manifest declared no required env vars and SKILL.md promotes alternate config fields. The code looks for environment variables named ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY, and error messages reference both skill entries and env paths — causing ambiguity about where secrets should live. This ambiguity increases the risk of misconfiguration or secrets being stored in an unexpected location.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and has no special persistence privileges. It performs only outbound API calls to a single AlphaShop endpoint.
What to consider before installing
This skill's purpose (querying 1688 product details via AlphaShop) matches its network calls, but there is a clear mismatch in how credentials are declared vs how the code reads them. Before installing or using it: 1) Confirm where you must place the keys — the code expects ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY as environment variables, whereas the SKILL.md says to put apiKey/secretKey in the skill entries. 2) Ensure you store the keys securely (prefer the platform's secret storage for skill entries over plaintext env files) and verify whether OpenClaw will expose those values to other components. 3) If you are the integrator, consider patching the skill so its documentation, manifest, and runtime agree (prefer a single canonical config path). 4) Test the script in an isolated environment first and review that Authorization Bearer tokens are sent only to the stated AlphaShop endpoint. These inconsistencies are likely a configuration bug but should be fixed before trusting the skill with real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk973geb9940y2rr2y5p0b8vnqs83g4n2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.