search-1688-supplier

PassAudited by ClawScan on May 10, 2026.

Overview

The skill’s visible behavior matches its supplier-search purpose, but it relies on AlphaShop API credentials and an external API, so verify the publisher and handle keys carefully.

Before installing, confirm you trust the publisher, configure AlphaShop keys only through the intended environment settings, and remember that your search text, product IDs, and image URLs will be sent to AlphaShop.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

You must provide AlphaShop API credentials; if mishandled, they could affect your AlphaShop account or API quota.

Why it was flagged

The skill requires provider API credentials to authenticate to AlphaShop. This is purpose-aligned, but the keys are sensitive and are not declared in the registry requirements.

Skill content

`ALPHASHOP_ACCESS_KEY` ... `ALPHASHOP_SECRET_KEY` ... `用于生成 JWT 认证 token` ... `✅ 必填`

Recommendation

Configure the keys only through the skill environment/config, avoid pasting secrets into ordinary chat, and rotate them if exposed.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Search terms, product IDs, and image URLs may be shared with AlphaShop.

Why it was flagged

The script sends user search inputs to the AlphaShop API. This is the core purpose of the skill and uses the documented provider endpoint.

Skill content

API_URL = "https://api.alphashop.cn/ai.select.provider.search/1.0" ... requests.post(API_URL, json=payload, headers=headers, timeout=30)

Recommendation

Use the skill only for product/search data you are comfortable sending to AlphaShop, and review the provider’s API terms if needed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Dependency behavior may vary depending on when and where the packages are installed.

Why it was flagged

The dependencies are common and purpose-aligned, but they are declared with lower-bound ranges rather than exact pinned versions, so manual installs may resolve different package versions over time.

Skill content

requests>=2.20.0
PyJWT>=2.0.0

Recommendation

Install from a trusted package index and consider pinning reviewed dependency versions in controlled environments.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

Users may place extra trust in the skill because it appears to claim official 1688 authorship.

Why it was flagged

The skill makes an official-authority claim. The supplied registry context lists the source as unknown and no homepage, so this claim should be verified before relying on it with API credentials.

Skill content

author: 1688官方技术团队

Recommendation

Verify the publisher or official distribution channel before providing API keys.