Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Taobao Draft Generator
v1.0.0淘宝商品上架草稿生成 - 人工触发,五维材质一致性校验,SEO 标题二次原创,仅生成草稿不自动上架
⭐ 0· 46·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise: generate Taobao listing drafts with five‑dimensional consistency checks and only official API use. Actual code: reads local ./products/[款号]/product_info.json, produces a JSON draft and a simple Excel audit report (stubbed results). There are no API calls to Taobao and the detailed compliance checks are not implemented — the implementation is a simplified local draft generator, so some claimed capabilities are overstated.
Instruction Scope
SKILL.md/README describe multiple compliance checks (违禁词检测, 类目检查, 五维一致性) and 'official API' operations. The runtime script only reads local files, writes files, and writes an Excel report with placeholder '✅ 通过' entries; it does not perform the promised validation nor any network/API calls. That discrepancy is scope creep / misrepresentation and could mislead users into trusting checks that aren't performed.
Install Mechanism
No install spec provided (instruction-only with bundled code). Dependencies are listed in requirements.txt for pip; installation is standard and low-risk. No remote downloads or archive extraction occur. This is low install risk.
Credentials
The skill declares no required environment variables, which matches the manifest; however the script calls dotenv.load_dotenv() and reads LOG_LEVEL via os.getenv. Loading a .env file can surface environment secrets if present. The code does not send network requests, but users should be aware the runtime will read environment variables if a .env file exists.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges or write to other skills' configs. It creates local dirs (logs, drafts, product audit folders) within the workspace, which is expected for a local generator.
What to consider before installing
This skill appears to be a simple local draft generator, but it overstates its capabilities. Before installing or running: 1) do not assume the compliance checks are performed — the audit is a stub; review and implement real checks if you need them; 2) inspect and run the Python code in a sandbox — there is a syntax bug in main() (a non-ASCII comma) that will cause failure; fix/test locally first; 3) remove or inspect any .env before running since the script loads environment variables; 4) if you expect Taobao API integration or automated validation, demand or implement visible API calls and proper checks; otherwise treat this as a helpful draft template generator, not a compliance/automation tool.Like a lobster shell, security has layers — review code before you run it.
latestvk977nbr6hmnafn3htbn81g59h583wxms
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📝 Clawdis
OSWindows
Binspython3