1688 Shopkeeper.Bak
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real 1688 shopkeeping integration, but it can publish products to linked stores after only a dry-run and without a final confirmation when the target is unique.
Install only if you are comfortable giving the skill your 1688 AK and allowing it to operate on linked shops. Before any publish action, insist on seeing the dry-run result and give explicit final approval yourself, even though the skill currently tells the agent it may proceed automatically when the target is unique.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A product listing action could be submitted to a real Douyin/Pinduoduo/Xiaohongshu/Taobao shop based on the agent’s interpretation after the preview, which may affect public listings, compliance, pricing, or store operations.
The publish command writes products to downstream stores. The skill requires a dry-run, but then instructs the agent to perform the real write automatically when the target is unique, without asking the user for a final confirmation.
目标唯一时,dry-run 成功后直接执行正式写入,不再二次确认。
Require an explicit final user confirmation after every dry-run before removing --dry-run, showing the exact shop, product IDs/count, and any batch limit effects.
The AK is a credential that authorizes access to the user's 1688/shopkeeper account context and linked store operations.
The configure flow stores the user's 1688 AK in the OpenClaw skill configuration so later commands can authenticate to 1688 and access linked shop capabilities.
skill_entry["apiKey"] = api_key
Use a revocable/scoped AK where available, rotate it if exposed, and remove it from OpenClaw configuration when no longer using the skill.
Local workspace files may retain product selections, publish requests, and operational metadata after the conversation ends.
The skill persists local diagnostic snapshots for publish actions, including request and response data, which may contain business or shop-operation details.
铺货排查快照 | `{PUBLISH_DATA_DIR}/1688_{time}.json` | **仅正式铺货**(未带 `--dry-run`)写入;字段含 time、api_request、api_response、meta、cli_outputTreat the OpenClaw workspace data as sensitive, avoid sharing it, and delete old 1688-skill-data snapshots if they are no longer needed.