Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ecommerce Data Export
v1.0.0导出电商数据为 Excel/PDF 报告,支持价格历史、销量分析、竞品对比。适合电商卖家、市场分析师。
⭐ 0· 163·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill promises PDF generation, web scraping of product pages, and scheduled automatic sending, but declares only python3 (and a metadata note about installing pandas/openpyxl). PDF generation and web-scraping typically require additional libraries or external tools (e.g., requests/BeautifulSoup, PDF libraries, headless browser or wkhtmltopdf). The declared binaries/env vars do not justify the full feature set.
Instruction Scope
SKILL.md is vague about how data is obtained and delivered. Examples show user-provided Taobao URLs, but there are no concrete fetch/scrape instructions, nor limits on what the agent may read or send. '定时生成/定期自动发送报告' implies persistence and outbound transmission but gives no mechanism or explicit consent/checkpoints — this gives the agent broad, ill-defined discretion.
Install Mechanism
There is no formal install spec (instruction-only), but metadata suggests running 'pip3 install pandas openpyxl'. That is low-risk as-is, but is incomplete for the advertised capabilities (no scraping, networking, or PDF packages listed). No external downloads or anomalous install URLs are present.
Credentials
The skill requests no environment variables or credentials, yet describes sending reports and periodic automation — actions that normally require SMTP/API credentials, webhook URLs, or storage access. The absence of declared credential requirements is inconsistent and could lead to ad-hoc requests for secrets at runtime.
Persistence & Privilege
The skill is not set to always:true (good), but it advertises scheduled automatic reports which imply creating persistent schedules (cron jobs, background tasks, or storing credentials). SKILL.md does not state how schedules are implemented or what persistence is required; this is ambiguous and should be clarified before granting autonomous use.
What to consider before installing
Before installing, ask the author to clarify and tighten the skill's runtime behavior: 1) Provide an explicit list of required Python packages (e.g., requests, beautifulsoup4, pdf library, scheduler) and why each is needed. 2) Explain precisely how product data is fetched (scraping vs API), whether authentication/cookies are needed, and confirm compliance with target sites' terms. 3) Describe how scheduled reports are implemented (platform scheduler vs creating cronjobs) and what persistent storage or permissions are needed. 4) Specify what credentials (SMTP, webhook, cloud storage) will be required and limit those to the minimum; avoid giving broad account keys. 5) Require explicit user confirmation before the agent sends reports or contacts external endpoints, and consider disabling autonomous invocation for scheduling actions. If the author updates the skill to explicitly list and justify dependencies and credential needs and adds safe approval points for sending data, this assessment could move toward benign; until then treat it as suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk9752srv36hkztrfbtkq72wqnn83k00e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binspython3