taobao-shopping

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill’s shopping features are coherent, but it relies on your logged-in Taobao browser session and unreviewed external browser automation code that can act on your account.

Only install this if you trust the OpenCLI package and browser bridge extension. Consider using a separate Chrome profile, keep Taobao logged out except when needed, use dry-run for cart actions, and require explicit confirmation before the agent changes your cart.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Commands may run with the authority of your logged-in Taobao account, including reading cart information and changing the cart.

Why it was flagged

The skill uses the user's existing logged-in Taobao/Tmall browser session rather than a scoped API credential, and the artifacts do not clearly bound cookie handling, browser-profile scope, or account-access safeguards.

Skill content

首次使用前，请确保 Chrome 已登录淘宝 (www.taobao.com)，因为所有命令依赖 Cookie 认证。 ... 所有适配器均使用 Cookie 认证策略

Recommendation

Use a dedicated browser profile or secondary account, review what the browser extension/package can access, and require confirmation before any account-changing action.

Medium

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill as documented means trusting outside code with access to an authenticated shopping session.

Why it was flagged

Authenticated browser automation is delegated to an external global npm package and browser extension, but the reviewed artifact set contains only SKILL.md and does not include or pin those components.

Skill content

OpenCLI 已安装：`npm install -g @jackwener/opencli` ... OpenCLI Browser Bridge 扩展已加载 ... 此 skill 依赖 OpenCLI 项目中的淘宝适配器模块

Recommendation

Install only if you trust the OpenCLI package and browser extension source, verify permissions, and prefer a pinned version and isolated browser profile.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If invoked carelessly, it could add an unintended item or specification to your cart.

Why it was flagged

The add-cart command can modify the user's shopping cart and defaults to doing the real action, although this is disclosed and aligned with the skill's shopping purpose.

Skill content

`opencli taobao add-cart <商品ID>` ... `--dry-run` | 布尔 | `false` ... 加入购物车（自动选择第一个可用规格）

Recommendation

Ask the agent to preview with `--dry-run` or confirm the exact item and specification before adding anything to the cart.