翱象发品
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill needs review because it can bulk-publish products to a Taobao-related merchant account, but the runnable implementation is missing or inconsistent and the instructions do not define clear safeguards before changing store data.
Treat this as a review item before production use. Ask the publisher for the actual scripts or JAR, verify the endpoint and credential handling, and require a preview plus explicit confirmation before any batch goods are created in a real merchant store.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may need to obtain or run unreviewed code to make the skill work, which could mishandle credentials or publish unintended product data.
The provided manifest contains only SKILL.md, but the skill references executable/helper files that are not included. For a high-impact publishing integration, the code that would sign requests and mutate goods listings cannot be reviewed.
from scripts.aoxiang_publish import AoxiangPublishClient ... python3 scripts/aoxiang_publish.py ... 文件列表 - `scripts/aoxiang_publish.py` - `REFERENCE.md`
Provide the actual implementation files, pin the runtime/dependencies, and make the registry description match the included artifacts before using it on a real merchant account.
Incorrect input or an over-eager agent action could create wrong SKUs, prices, barcodes, or listings in a merchant store.
The documented action creates/publishes goods in bulk for a merchant store, but the instructions do not define an approval checkpoint, dry-run mode, scope limit, or rollback process before the account mutation.
支持批量创建商品 ... 需要批量发布商品到淘宝闪购 ... result = client.create_goods(merchant_code="ERP_ACCESS_TEST", erp_store_code="ERP_NORMAL", sku_list=sku_list)
Require explicit user confirmation for the final publish step, show a preview of every SKU and price, validate that prices are in cents, and limit batch size or support a dry run.
Supplying these credentials may grant authority to create goods for the merchant account.
The integration expects an AppKey and secret to sign API requests. This is purpose-aligned, but the registry metadata does not declare a credential contract.
client = AoxiangPublishClient(
app_key="???",
secret="???"
) ... secret | 是 | 用于签名Use a least-privilege API key if available, avoid hardcoding secrets in prompts or files, and ensure the skill declares and documents its credential requirements.
Business product data may leave the agent context and be transmitted to the provider API.
The API body includes merchant/store identifiers and SKU details such as barcodes and prices, which would be sent to the external 翱象/淘宝闪购 platform as part of the intended workflow.
`merchant_code` ... `erp_store_code` ... `sku_list` ... `barcodes` ... `sale_price`
Confirm the destination endpoint and implementation before use, and only send product data intended for publication.