clawec-1688-product-search
PassAudited by ClawScan on May 15, 2026.
Overview
This skill is a narrow 1688 product-search helper that calls a declared Clawec API with a user-provided keyword and API key, with no evidence of hidden persistence, destructive behavior, or unrelated data access.
Install only if you intend to use Clawec for 1688 product research. Set the API key via CLAWEC_API_KEY when possible, verify the clawec.com endpoint, and remember that your search keywords will be sent to Clawec. The provided artifacts do not show hidden file access, persistence, or destructive actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Clawec API key may grant access to the user's Clawec account or quota, but the artifacts only show it being used for the declared Clawec endpoint.
The skill requires a Clawec bearer token. This is expected for an authenticated Clawec API integration and the instructions say not to hardcode it.
Authorization: Bearer <API_KEY> ... 优先从环境变量 `CLAWEC_API_KEY` 读取密钥;未设置时向用户索取,勿硬编码。
Prefer setting CLAWEC_API_KEY as an environment variable, use a revocable/least-privilege key if available, and rotate it if it is exposed.
Product research keywords, which may reflect business plans or sourcing strategy, are shared with Clawec when the skill is used.
The helper sends the user's search keyword and API token to the declared external Clawec API. This is purpose-aligned, but it means Clawec receives the query.
curl -s -G "https://www.clawec.com/api/aigc/tool/1688_product_search_lite" ... --data-urlencode "keyword=$KEYWORD" ... -H "Authorization: Bearer $API_KEY"
Use only search terms you are comfortable sending to Clawec and avoid placing unrelated secrets or private customer data in the keyword.
Users may need to do their own verification that the Clawec service and endpoint are the intended provider before supplying an API key.
The registry metadata gives limited provenance. This is not suspicious by itself because the included files are small and consistent with the stated purpose, but users have less publisher verification context.
Source: unknown Homepage: none
Inspect the short script, confirm the clawec.com API/key pages independently, and install only if you trust that provider.