Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ecom-price-monitor跨境电商价格监控神器 - 竞品一动,秒级预警
v1.0.0实时监控跨境电商平台竞品价格变动,智能预警并提供趋势分析,助力精准定价和市场决策。
⭐ 0· 115·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README/SKILL.md advertises many platform integrations (Amazon, eBay, Shopify, Walmart, Target, etc.) and real scraping/notification features, but the implemented PLATFORMS dict and visible code only include amazon/taobao/jd/pdd/1688 and several scraping methods are mocked. The documentation mentions API keys and cookies for multiple platforms, yet the repository lacks implemented API usage for many of those services. This is a capability–purpose mismatch (overpromised features vs. delivered code).
Instruction Scope
Runtime instructions are simple (pip install -r requirements.txt; python src/main.py) and the code reads config/settings.yaml for API keys and notification settings. However, many capabilities described in SKILL.md/docs (real-time scraping, email/webhook notifications) are not actually implemented in the visible code (there are mock scrapers and TODOs for email/webhook). The SKILL.md does not explicitly ask for secrets as env vars but the config file contains many secret fields (API keys, SMTP password, webhook_url) that the program will read if populated. No instructions ask the agent to read unrelated system files or exfiltrate data, but the skill's operation depends on user-provided credentials in the config file.
Install Mechanism
No install script or remote downloads; it's an instruction-only install with a requirements.txt (requests, bs4, schedule, pyyaml, pandas). This is a standard Python dependency list and there are no remote archive downloads or unusual installers.
Credentials
The skill declares no required environment variables, which matches the package metadata. However, config/settings.yaml includes many secret fields (API keys for Amazon/Taobao/JD/PDD, SMTP username/password, webhook_url). These are optional but necessary for full functionality; requiring users to populate plaintext secrets in the repo config is expected for this tool but increases risk if credentials are reused or stored insecurely. No unrelated platform credentials are requested.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It writes logs/exports to disk per configuration and can send notifications if configured; nothing in the manifest indicates modification of other skills or system-wide configuration.
What to consider before installing
This skill is not obviously malicious, but it overpromises and appears incomplete: many scrapers are mocked and email/webhook are marked TODO. Before installing or running with real credentials, do the following: (1) Inspect the full src/main.py (the provided view was truncated) to confirm which network endpoints are contacted and whether any secrets are transmitted; (2) Don’t put production API keys or SMTP passwords into the shipped config file without first verifying the notification/scraping code; use limited-scope/test credentials or environment-isolated accounts; (3) Expect to implement or replace mocked scrapers with robust, compliant scraping or official APIs (and respect platform terms of service); (4) Run the skill in a sandboxed environment and monitor outbound network activity the first time you run it; (5) If you need the advertised platforms (eBay, Shopify, Walmart, Target), verify those integrations are actually implemented or be prepared to add them yourself. If you want higher assurance, ask the author for a complete changelog and proof that the advertised integrations are implemented and audited.Like a lobster shell, security has layers — review code before you run it.
latestvk97111frctf3ggwsqyftdmv3q183j21v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.