Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Taobao Operations
v1.0.0日常运营 + 客服售后 + 合规风控三合一 - 仅读 API、不自动修改、客服合规、人工确认
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the code and outputs (report generation, compliance checks, CS automation). Declared required binary (python3) and Python deps in metadata/requirements are reasonable for this workload. Minor oddities: the skill's metadata and README mention optional .env / Taobao API keys, but requires.env is empty in the registry metadata; OS restriction set to win32 is likely unnecessary but not catastrophic. The requirements include 'requests' but the visible code does not use network calls, which could be fine for future features but is an unexplained mismatch.
Instruction Scope
SKILL.md and README instruct running the packaged Python script to generate reports and start an auto-reply helper; they claim read-only API access and that the tool will not modify shop data. The instructions don't ask the agent to read unrelated system files. However the runtime loads environment variables (.env) and README asks users to edit .env for API keys — those runtime secrets are not declared in the registry manifest, creating a transparency gap.
Install Mechanism
No install script provided (instruction-only with packaged Python script). Dependencies are standard PyPI packages listed in requirements.txt. There are no external downloads or archive extraction steps. This is low risk from an install-mechanism perspective.
Credentials
The skill's code calls load_dotenv() and the README explicitly instructs populating .env with Taobao API keys, yet the registry metadata lists no required environment variables or primary credential. That mismatch makes it unclear what secrets the skill will read if present. While the skill claims 'read-only' API use, users should not provide high-privilege credentials until the exact env vars and scopes are documented. The number of implied credentials is small and plausible for the purpose, but the omission in metadata is a practical and security-relevant inconsistency.
Persistence & Privilege
always:false and default agent invocation settings are used. The skill only writes logs/reports to local workspace directories (logs/, reports/) which is expected. It does not request persistent platform-wide privileges or modify other skills/configs.
What to consider before installing
This skill appears to implement the advertised reporting and compliance helpers, but there are a few things to check before installing or giving it any credentials: 1) The package loads .env (via python-dotenv) and README suggests putting Taobao API keys there, yet the registry metadata does not declare which env vars it will read — only provide an API key with strictly read-only/least-privilege scope, and prefer a throwaway/test account first. 2) Inspect the full scripts/operations_main.py file locally (I saw the provided copy was truncated) to confirm there are no unexpected network calls, credential uploads, or filesystem reads at the end of the file. 3) Install dependencies inside a dedicated virtualenv and run the tool in a sandbox or test account to validate behavior. 4) If you need autonomous agent invocation, be cautious: although this skill does not set always:true, an agent granted autonomous use plus credentials could act without ongoing user confirmation — verify the skill truly requires manual confirmation for any write actions. 5) If you plan to use it in production, ask the author to update the skill manifest to explicitly list any required env vars and the exact API scopes needed.Like a lobster shell, security has layers — review code before you run it.
latestvk9768znpebptc902svqy82fynd83x33f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛡️ Clawdis
OSWindows
Binspython3