免费AI小暖电商客服智能体
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ecommerce-cs-agent Version: 1.0.0 The skill bundle is a standard template for an e-commerce customer service agent named 'Xiao Nuan.' It contains a persona-focused system prompt and legitimate tool definitions for order querying, logistics tracking, and product searching in SKILL.md and system-prompt.md. There are no indicators of data exfiltration, malicious execution, or harmful prompt injection; the instructions are strictly aligned with the stated purpose of providing customer support.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A poorly scoped integration could expose order details or allow lookups beyond the intended customer.
If implemented, the optional order-query tool can access customer order records using an order ID or phone number. This is expected for e-commerce support but involves customer/account data.
"query_order", "description": "根据订单号或手机号查询订单信息"
Use least-privilege read access, verify the customer before lookup, and minimize or redact phone/order data in chats and logs.
If wired to backend tools, mistakes could create incorrect return/exchange tickets or affect order handling.
The optional return/exchange tool would mutate a support or order workflow if connected to real systems. This matches the customer-service purpose, and the prompt separately says sensitive refund/compensation operations need confirmation.
"create_return", "description": "创建退换货工单"
Require explicit customer or operator confirmation for returns, refunds, and compensation, and keep audit logs for any backend changes.
Customer messages, order IDs, or phone numbers could be present in another session/model context.
The recommended workflow forwards customer messages into a spawned subagent session. This is disclosed and purpose-aligned, but it creates a separate agent context that may receive customer information.
runtime: "subagent" ... 然后用 `sessions_send` 转发客户消息给该 session
Forward only the information needed for the support task, avoid unnecessary personal data, and close or manage subagent sessions according to your privacy policy.
Incorrect knowledge-base content could lead to wrong product information, policy statements, or customer promises.
The optional RAG extension would rely on retrieved knowledge-base content for customer answers. This is expected for product/FAQ support, but outdated or incorrect entries could influence responses.
将商品数据 / FAQ / 售后政策导入向量数据库 ... 在回复前先检索相关知识
Use curated knowledge sources, keep policies updated, and add human review for sensitive commitments such as refunds or compensation.