Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alibaba Supplier Outreach
v1.0.0Find and contact verified Alibaba suppliers for your product, send optimized outreach messages, check replies, and manage negotiations for Amazon FBA sourcing.
⭐ 1· 644·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match what the SKILL.md instructs (finding suppliers, crafting messages, sending inquiries, checking replies). However, the runtime instructions require platform-specific tools (mcp__launchfast__supplier_research and mcp__claude-in-chrome__* chrome automation) and a logged-in Alibaba Chrome session, but these required tools are not declared in the skill's top-level metadata — a mismatch that should have been explicit.
Instruction Scope
The instructions tell the agent to control the user's browser, navigate to supplier pages, read message pages, type and send messages, and take screenshots for verification. Taking screenshots of web pages opened in the user's browser can capture sensitive or unrelated information (account details, other messages). The use of coordinate-based clicks is brittle and can click the wrong UI element, causing unintended actions. While reading and sending messages is within the stated purpose, these operations are privacy- and action-sensitive and should be explicitly called out, limited, and audited.
Install Mechanism
No install spec or code files are present; the skill is instruction-only. This lowers supply-chain risk because nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials, and it does not ask for AWS/other unrelated secrets. Instead it relies on the user's logged-in Chrome session for Alibaba and on platform tools. That is reasonable for a browser-automation-based outreach skill, but the metadata should have declared these tool dependencies so users understand what platform capabilities it needs.
Persistence & Privilege
The skill does not request persistent 'always' inclusion or special agent-wide privileges. It can invoke autonomously (platform default), which is expected — but given the ability to operate the user's logged-in browser, users should be aware of the potential blast radius if the skill is allowed to run without supervision.
What to consider before installing
This skill behaves like a remote assistant that will control your Chrome session to search suppliers, read and send messages, and take screenshots. Before installing or invoking it: 1) Confirm you are comfortable allowing automated actions from your logged-in Alibaba account (it will send messages and read replies). 2) Note the SKILL.md requires LaunchFast and specific chrome-automation tools but the skill metadata does not declare these — ask the author to list required platform tools. 3) Be cautious about screenshots (they may capture account info or other private content); prefer redaction or disable screenshots if possible. 4) The workflow uses coordinate-based clicks which are brittle — test with a throwaway Alibaba account or in a safe environment before using on your main account. 5) Always review and approve each generated message before the skill sends it (the skill asks for approval, but verify the platform enforces it). If you cannot verify the tooling or don't want an agent to control your logged-in browser, do not enable this skill.Like a lobster shell, security has layers — review code before you run it.
alibabavk97e3bze342v9e5k72cdwvj6xn81pqfbfbavk97e3bze342v9e5k72cdwvj6xn81pqfblatestvk97e3bze342v9e5k72cdwvj6xn81pqfboutreachvk97e3bze342v9e5k72cdwvj6xn81pqfbsuppliervk97e3bze342v9e5k72cdwvj6xn81pqfb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.