Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Taobao Price Monitor
v1.0.0监控淘宝/天猫商品价格,支持历史价格查询、降价提醒、比价功能。适合电商卖家、代购、精明消费者。
⭐ 0· 256·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim multiple features (历史价格、降价提醒、比价、批量监控、API、导出、企业版) but the repository only includes a single query_price.py that performs basic price fetching. Several referenced tools (history_price.py, price_alert.py, compare_price.py) and an HTTP API server are mentioned in SKILL.md but are not present. This mismatch suggests the package does not implement its advertised capabilities.
Instruction Scope
SKILL.md directs installation of extra tooling (playwright + playwright install) and modifying ~/.openclaw/openclaw.json to store a TAOBAO_COOKIE. The shipped Python tool uses only requests; Playwright is not used in query_price.py. The instructions also describe running a local HTTP API (localhost:18789) and cron jobs, but no server code or the other scripts required for alerts/history/compare are included. These vague/overbroad instructions grant the agent discretion and ask to store a sensitive cookie in agent config.
Install Mechanism
Registry metadata lists no install spec, but SKILL.md contains frontmatter recommending pip install requests and the body instructs installing Playwright. The actual code requires only requests. The mismatch between metadata, instructions, and code raises the risk that additional install steps (Playwright) are unnecessary or were copied from another project.
Credentials
The skill requests a TAOBAO_COOKIE which is relevant for bypassing anti-scraping and could be required for some scraping tasks. However SKILL.md says Cookie is optional while the registry requires TAOBAO_COOKIE as mandatory—this contradiction should be resolved before providing secrets. Storing the cookie in ~/.openclaw/openclaw.json would make it available to the agent and potentially other skills.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. The SKILL.md suggests scheduling cron jobs and storing configuration in the agent config, which is typical for monitoring skills, but nothing here requests permanent global privileges or modifies other skills' configs.
What to consider before installing
This package is internally inconsistent rather than overtly malicious: it asks for a Taobao cookie (sensitive) and documents many features that are not present in the shipped files. Before installing or providing secrets: 1) ask the author for the missing scripts (history/alert/compare/server) or a single-file explanation; 2) confirm whether Playwright is actually required — avoiding installing heavy browser libs if not needed; 3) do not paste real TAOBAO_COOKIE into shared agent config; prefer testing in an isolated environment or using a throwaway cookie; 4) if you need alerts or API endpoints, require that the skill includes the server/cron code or provide deployment instructions; 5) if you can't verify these inconsistencies, treat the skill as untrusted and avoid supplying credentials or enabling autonomous runs.Like a lobster shell, security has layers — review code before you run it.
latestvk972e2qn3v1469bcpm3gn5gcph83jstk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛒 Clawdis
Binspython3, curl
EnvTAOBAO_COOKIE