ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Popmart Stock Monitor

v1.0.0

Monitor PopMart product restock status across multiple channels including WeChat Mini Programs, Taobao, JD.com, and Tmall. Use when user wants to track avail...

0· 35·1 current·1 all-time
by@iiustrator
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to monitor Taobao, JD, Tmall, and WeChat and to use official APIs when available. It reasonably requests Taobao/JD API keys and Feishu webhook in docs, which fit the purpose. However, metadata declares no required env vars/credentials, and the Python code constructs platform handler instances without passing API keys from the provided config, so credentials would not actually be used. Also monitor_popmart imports jd and tmall handlers but those modules are not present in the package — inconsistent with the declared multi-platform capability.
!
Instruction Scope
SKILL.md instructs installing networked scraping tools, using proxies/VPNs, creating cron jobs, and copying the skill into system paths (e.g., into OpenClaw's skills directory). OPENCLAW_INTEGRATION.md contains hard-coded example paths (/Users/panda/...) and suggests commands that would execute files from a user's home; the docs also show running /exec on local files. Nothing in the instructions asks to read unrelated secrets, but the guidance to copy code into system directories and to create persistent cron jobs expands the runtime scope beyond an ephemeral script and should be treated cautiously.
Install Mechanism
There is no registry install spec; SKILL.md recommends pip installing requests, beautifulsoup4, selenium, and playwright (and references running `playwright install chromium`). This is a standard Python stack for scraping/browser automation and is not an unusual install pattern. There are no downloads from untrusted URLs in the package. However, playwright implies installing a browser binary which increases footprint; the package provides no packaged installer or requirements file — installation is manual and must be trusted by the user.
!
Credentials
The documentation and example configs request Taobao/Tmall and JD API keys and a Feishu webhook (appropriate for notifications). But registry metadata lists no required env vars/primary credential. The runtime code uses a config file (popmart_config.json) to hold API keys/webhook, but the monitor instantiates platform handlers without passing those keys, so the declared credentials are not actually wired. The mismatch between declared metadata and required secrets is suspicious and could lead users to put secrets in files unnecessarily. The docs also reference debug via DEBUG=true (an env var) that is not declared.
Persistence & Privilege
The skill itself does not request special platform privileges (always:false) and is user-invocable. The docs recommend setting up cron jobs or copying the skill into OpenClaw's skills directory for persistent monitoring; those are user actions but would create persistent execution. That persistence is user-driven rather than automatic from the skill metadata, but copying into system locations (example shows ~/.npm-global and hard-coded paths) is a potentially risky operational instruction and should be considered carefully.
What to consider before installing
This package looks like a plausible PopMart monitor but is incomplete and inconsistent. Before installing or running it: 1) Inspect missing pieces — the code references jd and tmall handlers that are not included and uses BeautifulSoup in taobao._check_via_scraping but the import is missing in that file; fix or remove broken imports. 2) Do not drop your API secrets into files or system-wide locations until you confirm the code actually uses them; prefer providing credentials via a secure mechanism (environment variables or a secrets manager) and review how they are consumed. 3) Avoid blindly following OpenClaw docs that copy files into system paths or run hard-coded user paths — run the code in a virtualenv or isolated container first. 4) Be cautious about scraping: platforms may block requests, and obey terms of service; using proxies/VPNs increases operational risk. 5) If you plan to use notifications, verify webhook targets (Feishu) and test with dummy webhooks. 6) If you are not comfortable auditing Python code, treat this skill as untrusted until a maintainer provides the missing handlers and demonstrates proper credential wiring and error handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ek1pr09myk9jmacnp6p8jy9850pwq
35downloads
0stars
1versions
Updated 2d ago
v1.0.0
MIT-0
@iiustrator
latest
Download

PopMart Stock Monitor

Overview

This skill monitors PopMart product availability across major Chinese e-commerce platforms:

  • WeChat Mini Programs (official PopMart store)
  • Taobao
  • JD.com
  • Tmall

Setup Requirements

API Keys & Authentication

  • Taobao/Tmall: Requires Taobao Open Platform API access
  • JD.com: Requires JD Open Platform API access
  • WeChat: Requires official Mini Program access or web scraping (limited)
  • Proxy/VPN: May be needed for reliable access to Chinese platforms

Installation

# Install required dependencies
pip install requests beautifulsoup4 selenium playwright

Usage Examples

Basic Product Monitoring

Monitor PopMart "Molly Ocean" series on all platforms
Check PopMart Labubu blind box stock status
Track availability of PopMart Dimoo Space series

Advanced Configuration

Monitor PopMart product ID 12345 every 30 minutes
Check PopMart stock with priority: JD > Tmall > Taobao
Alert me via Feishu when PopMart Molly is back in stock

Implementation Details

Platform-Specific Handlers

WeChat Mini Program

  • Method: Web scraping (requires mobile user-agent)
  • Limitations: Rate limiting, requires session cookies
  • Reliability: Medium (depends on Mini Program updates)

Taobao/Tmall

  • Method: Official API preferred, fallback to web scraping
  • Authentication: OAuth 2.0 with Taobao developer account
  • Rate Limits: 100 requests/minute per app

JD.com

  • Method: Official JD Open Platform API
  • Authentication: App key + secret authentication
  • Rate Limits: 50 requests/minute per app

Stock Detection Logic

  1. Product Identification: Match by product name, SKU, or official product ID
  2. Availability Check:
    • "In Stock" / "有货" status
    • Add-to-cart button enabled
    • Price displayed (not "sold out")
  3. False Positive Filtering:
    • Exclude pre-order items
    • Verify actual inventory vs display status

Notification System

Supported Channels

  • Feishu: Webhook integration (recommended)
  • Email: SMTP configuration required
  • SMS: Requires telecom API integration
  • Local: Desktop notifications

Alert Templates

🚨 POPMART RESTOCK ALERT 🚨
Product: {product_name}
Platform: {platform}
Status: Back in Stock! 
Link: {product_url}
Price: {price}
Last Checked: {timestamp}

Configuration File

Create popmart_config.json in your workspace:

{
  "products": [
    {
      "name": "Molly Ocean Series",
      "sku": "PM-MLY-OCEAN-2026",
      "platforms": ["wechat", "taobao", "jd", "tmall"],
      "priority": ["jd", "tmall", "taobao", "wechat"]
    }
  ],
  "check_interval_minutes": 30,
  "notification": {
    "channel": "feishu",
    "webhook_url": "YOUR_FEISHU_WEBHOOK_URL"
  },
  "api_keys": {
    "taobao_app_key": "YOUR_TAOBAO_APP_KEY",
    "taobao_app_secret": "YOUR_TAOBAO_APP_SECRET",
    "jd_app_key": "YOUR_JD_APP_KEY",
    "jd_app_secret": "YOUR_JD_APP_SECRET"
  }
}

Limitations & Considerations

Technical Challenges

  • Anti-bot measures: Chinese platforms have aggressive bot detection
  • Session management: WeChat Mini Programs require valid sessions
  • Rate limiting: All platforms enforce strict rate limits
  • Dynamic content: Heavy JavaScript rendering on some platforms

Legal Compliance

  • Respect robots.txt and terms of service
  • Implement reasonable request intervals (≥30 seconds)
  • Do not overload platform servers
  • Use official APIs when available

Reliability Notes

  • WeChat: Most unreliable due to frequent Mini Program updates
  • Taobao/Tmall: Moderate reliability with proper API access
  • JD.com: Most reliable with official API integration

Troubleshooting

Common Issues

  1. "Access Denied" errors: Check API credentials and rate limits
  2. False stock alerts: Adjust detection logic in stock_detection.py
  3. Connection timeouts: Increase timeout values or use proxy
  4. Missing products: Verify product identifiers and platform availability

Debug Mode

Enable debug logging by setting DEBUG=true in environment:

DEBUG=true python popmart_monitor.py

Maintenance

  • Update selectors monthly (Chinese sites change frequently)
  • Rotate user agents to avoid detection
  • Monitor API quota usage
  • Test with new PopMart product launches

Comments

Loading comments...