clawec-shopee-product-search
PassAudited by ClawScan on May 15, 2026.
Overview
This appears to be a straightforward Shopee product-search skill, with the main caveat that it uses a ClawEC API key and sends search keywords to ClawEC.
Before installing, be comfortable sharing your Shopee search keywords with ClawEC and using a ClawEC API key. Set the key via CLAWEC_API_KEY, avoid hardcoding it, and remember that API calls may consume ClawEC points or credits.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured ClawEC API key to make product-search requests, which may expose search terms to ClawEC and may consume account points or credits.
The skill uses a ClawEC API key as delegated access to the user’s ClawEC account. This is disclosed and purpose-aligned, but the key should be treated as sensitive.
Authorization: Bearer <API_KEY> ... 优先从环境变量 `CLAWEC_API_KEY` 读取密钥;未设置时向用户索取,勿硬编码。
Use an API key intended for this integration, keep it in the environment rather than hardcoding it, and revoke or rotate it if no longer needed.
The helper script may fail on systems without those tools, and users may not see all prerequisites from metadata alone.
The helper script requires python3 and curl even though the supplied requirements list no required binaries. This is a metadata completeness issue, not evidence of hidden installation or unsafe execution.
PAYLOAD=$(python3 -c 'import json,sys; print(json.dumps({"keyword": sys.argv[1]}))' "$KEYWORD")
curl -s -X POST "https://www.clawec.com/api/aigc/ec/shopee_search"Confirm bash, python3, and curl are available before using the helper script; the publisher should declare these prerequisites if the script is a supported path.