闲鱼数据抓取

Using the skill may violate platform anti-bot rules, risk account restrictions, and cause the agent to perform stealth scraping rather than ordinary browsing.

The browser automation deliberately masks Playwright automation signals; this matches the skill's stated goal of bypassing anti-crawler protections.

A crafted keyword or config value could cause arbitrary shell commands to run in the OpenClaw workspace.

The keyword can come from command-line/user input and becomes part of a path interpolated into a shell command, so shell metacharacters in a keyword could execute unintended commands.

If misused or exposed, these credentials could allow repository changes or access to the user's logged-in Xianyu session.

The skill requests a Gitee token with repository project permissions and a Xianyu login cookie, both of which can grant meaningful account access.

The skill can continue scraping and processing data in the background after installation, even when the user is not actively invoking it.

The installer automatically appends scheduled jobs to the user's crontab, including recurring scrape/report/cleanup tasks.

A changed or malicious remote installer could run arbitrary setup commands in the user's environment.

The documentation recommends executing an unpinned remote script directly through bash, with an unknown source and no checksum or review step.

Users may underestimate that generated data and screenshots can leave their machine and be stored in a Gitee repository.

The privacy text says data files are local and not uploaded to third parties, while the same skill repeatedly describes automatic upload to Gitee.