Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Taobao Ecommerce System
v1.0.02026 无货源电商运营系统 - 智能选品、标准化上架、万相台测款、订单自动化、智能客服
⭐ 0· 117·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a full e‑commerce system (API integrations, automatic push to 1688, monitoring, etc.). The manifest requests only python3 and lists Python deps (requests, pandas, Pillow) which is reasonable for this purpose. However, the included main script does not implement any network/API calls — it only prints simulated flows — so the delivered capability is a stub/demo rather than the full integration the docs promise.
Instruction Scope
SKILL.md and README instruct the agent to run the script with various commands; that is consistent with an instruction-only skill. The docs promise 'official API' usage and 'only manual confirmation' for high-risk ops, but the runtime instructions do not require reading unrelated system files. The script does call load_dotenv(), creates a logs folder, and reads LOG_LEVEL from environment — so it will read environment/.env if present, which is not declared in requires.env.
Install Mechanism
No install spec is present (instruction-only with a Python script). That is low risk — nothing is automatically downloaded or executed beyond the local Python script and standard pip-installed dependencies listed in requirements.txt.
Credentials
requires.env lists none, but requirements.txt includes python-dotenv and the script calls load_dotenv(); README references a .env for API keys. The skill therefore may read environment variables or a .env file (potentially API keys) without declaring them as required. This mismatch means a user might unknowingly expose credentials if they run the skill with a populated .env.
Persistence & Privilege
The skill is not always-enabled; user-invocable is true and autonomous invocation is allowed by default. It writes logs under ./logs but does not modify other skills or system-wide settings. No elevated persistence or privileged actions are requested.
What to consider before installing
This package looks like a documented demo: the README/SKILL.md promise live Taobao/1688 API operations, but the included Python script only prints simulated outputs and does not call external APIs. Before installing or running with real credentials: 1) Inspect the code paths that would contact APIs (search for requests, urllib, or SDK usage) and confirm where endpoints/keys are used. 2) Do not place real API keys/secrets in a .env in the skill folder until you confirm the code's network behavior. 3) Run the script in a sandboxed environment (no real credentials, limited network) to observe actual calls. 4) If you expect real integration, request a version that clearly implements authenticated API calls and documents exactly which env vars are required. The current mismatch (docs vs. implementation + undeclared .env usage) is the reason for a cautious classification.Like a lobster shell, security has layers — review code before you run it.
latestvk972p6rm9z42r2cvzmpxvnbrgx83x4j0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛍️ Clawdis
OSWindows
Binspython3