ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

1688 Price Monitor

v1.0.1

监控 1688 批发商品价格,支持一件代发价格查询、厂家信息、同款比价。适合电商卖家、代购、副业创业者。

0· 256·1 current·1 all-time
by@275254cl-hash
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name/description (1688 price monitoring) align with the provided Python tool: it performs HTML scraping/searching on 1688 and provides profit calculations. However, the SKILL metadata declares required binaries python3 and curl; the shipped Python code uses only the requests library and does not call curl. The explicit curl requirement appears disproportionate to the stated purpose.
Instruction Scope
SKILL.md describes how to query/search/calc profit and includes an install hint for requests. The instructions do not ask the agent to read unrelated system files or environment variables. The code only performs network requests to 1688 pages and local calculations; it does not exfiltrate environment data or access unrelated system paths.
Install Mechanism
Registry lists no formal install spec, but SKILL.md metadata includes an 'install' entry recommending 'pip3 install requests'. The Python code depends on the requests package only; there are no downloads from third-party URLs and no archive extraction. The discrepancy between 'no install spec' in the registry and an install hint inside SKILL.md is worth clarifying (installer behavior/platform expectations).
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code does not access environment secrets. This is proportionate to the skill's functionality.
Persistence & Privilege
The skill is not forced always-on (always: false) and requests no elevated persistent privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default — expected for skills.
What to consider before installing
Before installing: 1) Ask the publisher why 'curl' is listed as a required binary when the included Python script uses requests — unnecessary required binaries can be a red flag. 2) Confirm how the skill will be installed in your environment (pip install requests is suggested in SKILL.md but the registry has no install spec). 3) Review tools/query_price.py yourself (it’s small): it only requests 1688 pages and parses HTML/JSON; there are no hidden endpoints or credential reads. 4) Consider running the skill in a sandbox or with limited agent autonomy until you’re comfortable. 5) Be aware of scraping/legal/rate-limit concerns with 1688 and avoid providing any unrelated credentials to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707dybwggcps4wjajfz93gdx83s02s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏭 Clawdis
Binspython3, curl

Comments