Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ecommerce Scraper
v1.0.0爬取动态电商网站数据。使用Playwright处理JavaScript渲染的页面,支持Cloudflare反爬、隐躲API发现、分页抓取。适用于: (1) 爬取京东/淘宝/拼多多等中国电商, (2) 爬取Amazon/eBay等国际电商, (3) 价格监控和竞品分析, (4) 批量商品数据采集。
⭐ 1· 1.7k·13 current·13 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Playwright-based e-commerce scraper) aligns with the included scripts and SKILL.md: the code implements JS-rendered scraping, hidden-API discovery, pagination, Cloudflare evasion tricks, and login/cookie handling. No unrelated services, credentials, or binaries are requested.
Instruction Scope
Instructions explicitly direct the agent to run Playwright to load pages, listen to network responses to discover API endpoints, inject anti-detection scripts, and save/load cookies. Those behaviors are appropriate for scraping but include active measures to evade protections (Cloudflare bypass techniques and automation-stealth scripts), which broaden the scope and may have legal/ethical implications. The SKILL.md does not instruct reading unrelated local files or sending data to third-party endpoints.
Install Mechanism
There is no install spec (instruction-only plus Python scripts). That reduces installer risk; however the code depends on Playwright and a browser runtime, which the README and scripts note must be installed by the user (pip install playwright && playwright install chromium). No external arbitrary downloads or obscure installers are embedded.
Credentials
The skill requests no environment variables or credentials. The login-capable script uses interactive QR/login flows and stores cookies to a local file (data/cookies.json), which is proportional to its stated feature set. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not attempt to change other skills or global agent settings. It persists only its own cookies/local files under a data/ directory. Default autonomous invocation is allowed (platform default) but not combined with other high-risk indicators.
Assessment
This package appears internally consistent with an e‑commerce scraping tool, but consider the following before installing: (1) legal/ethical: bypassing Cloudflare/anti-bot measures and scraping some sites may violate terms of service or law — confirm you have permission; (2) dependencies: you must install Playwright and a browser runtime (pip install playwright && playwright install chromium) and run in an environment that can launch a browser; (3) cookies and login: scrape_v2 saves cookies to data/cookies.json — treat that file as sensitive and clean it if it contains account session data; (4) code quality: there is at least one small bug/typo in scripts/api_discovery.py (a malformed print block) and some files are truncated in the registry view — review the full source before running; (5) operational: run the scraper in an isolated environment (not on systems with sensitive credentials), monitor network access, and avoid enabling automated/unreviewed autonomous execution by agents if you don't want the skill to run without human oversight.Like a lobster shell, security has layers — review code before you run it.
latestvk97a1eafj3b7bty599y6rz78ch81x0yq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.