Alibaba Shopping
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Alibaba shopping assistant, but it may use your logged-in shopping session to add items, apply coupons, and show address/order details before leaving payment to you.
This skill appears safe for its stated shopping purpose. Before installing or using it, be comfortable with it viewing logged-in shopping pages and preparing cart/order previews. Keep payment, final submission, passwords, and CAPTCHA handling manual, and verify cart contents, address, coupons, and final price yourself.
VirusTotal
59/59 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could add items, apply coupons, and prepare an order preview in your account if you let it use your logged-in session.
The skill directs browser automation to perform cart and pre-order actions. These are purpose-aligned for shopping and payment is blocked, but they still affect the user's shopping account state.
Cart & Pre-Order ... Add item to cart ... Apply available coupons ... Select delivery address ... Generate order preview
Review item, quantity, coupon, address, and total price in the browser before proceeding, and keep final checkout/payment under your manual control.
Using this skill while logged in can expose and modify account-specific shopping data such as cart contents and coupon/order state.
The skill explicitly uses authenticated shopping pages for account-specific actions. This is expected for the stated purpose and is bounded before payment, but it relies on the user's logged-in identity.
logged-in carts, coupons, orders → `user` only when needed ... Add to Cart / View Cart / Apply Coupons / Generate Order: Auth Required ... Payment: Blocked
Use it only in the intended shopping account, confirm each account-affecting action, and do not provide passwords or CAPTCHA responses to the agent.
Your delivery address and order details may appear in the conversation or agent-generated summary.
The order-preview workflow may read and repeat delivery address and order details in the agent context. No persistence or exfiltration is shown, but this is personal account information.
Key Data Points: ... Delivery address ... Available payment methods ... Order Summary Template ... 收货地址: [Address]
Avoid sharing more personal details than needed, ask the agent to mask the address in summaries if desired, and verify sensitive details directly on the shopping site.