Taobao Price Monitor
Security checks across malware telemetry and agentic risk
Overview
This skill mostly behaves like a Taobao price checker, but it asks for a Taobao session cookie for anti-scraping without clear credential boundaries.
Use this only if you are comfortable with a basic Taobao price-query script and understand the cookie risk. Avoid giving it your main Taobao login cookie; if you must use a cookie, use a dedicated low-risk account and disable any cron monitoring when finished.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may require giving the agent access to a Taobao session cookie, which could expose account context if mishandled.
The skill asks the user to store a Taobao cookie in OpenClaw configuration for anti-scraping. A cookie can be a logged-in session credential, but the artifact does not define a narrow scope, safe cookie contents, retention, or account-risk guidance.
配置 Cookie(可选,用于突破反爬) ... TAOBAO_COOKIE: "your_cookie_here"
Do not provide a primary shopping-account cookie unless necessary. Prefer a dedicated low-risk account, remove or rotate the cookie when done, and ask the maintainer to declare the credential and document exact handling.
Users may install additional browser automation components that are not needed by the included query script.
The skill provides user-directed dependency installation commands, including Playwright, while the provided code only imports requests and the registry has no install spec. This is not hidden, but it is an under-declared setup/provenance gap.
pip3 install requests playwright playwright install
Install only the dependencies required for the specific function you will use, preferably with pinned versions, and verify why Playwright is needed before installing it.
Users may expect monitoring, alerting, or comparison behavior that cannot be verified from the provided files.
SKILL.md describes several auto-called helper tools, but the supplied manifest contains only SKILL.md and tools/query_price.py. This makes the advertised behavior incomplete in the reviewed artifacts.
`history_price.py` | 历史价格查询 | 自动调用 ... `price_alert.py` ... `compare_price.py`
Treat the current artifact as only a basic price-query tool unless the missing helpers are supplied and reviewed.
If enabled, the agent may keep checking product prices and making network requests every hour until the cron job is disabled.
The documentation shows an optional hourly cron job that triggers agent activity. This fits the monitoring purpose, but it is persistent recurring behavior users should notice.
cron: { jobs: [ { id: "taobao-price-check", schedule: { kind: "every", everyMs: 3600000 }, payload: { kind: "agentTurn", message: "检查监控的淘宝商品价格,有变化时通知我" } } ] }Enable recurring monitoring only for items you actually need, keep request rates low, and remove the cron job when monitoring is no longer needed.