taobao-dianshang
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish an incorrect listing, price, stock count, or category to a real Taobao shop if invoked too broadly or before the merchant reviews the page.
This documents a browser action that clicks the final product-submission control. Publishing a product listing can affect public commerce and store operations, and the skill does not require an explicit final approval step before this action.
browser(action="act", ref="xxx_293", kind="click") # 提交宝贝信息
Require the agent to save as draft or stop for explicit user confirmation before clicking the final publish/submit button.
Actions will be taken as the logged-in seller account, including potentially the wrong store if multiple accounts are used.
The skill acts inside the merchant publishing workflow, so it will use whatever Taobao/Qianniu seller identity is currently logged in.
打开千牛工作台→进入商品发布页面→上传商品图片→填写商品信息(标题、价格、库存、属性等)→发布商品
Use only in the intended seller account and consider a lower-privilege or test account when validating the workflow.
If multiple elements have the same visible text, the script could click an unintended control on the seller page.
The skill instructs the browser tool to execute JavaScript in the page to locate and click matching dropdown text. This is disclosed and purpose-aligned, but it is a raw browser scripting escape hatch.
kind="evaluate", fn="() => { const allEls = document.querySelectorAll('div, span, li'); for (const el of allEls) { if (el.textContent.trim() === '<目标文字>') { el.click(); return 'clicked'; } } return 'not found'; }"Prefer narrower selectors or manual confirmation for critical fields such as category, sale status, price, and publish controls.