ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Taobao Image Search

使用淘宝进行以图搜同款、候选比对和加购物车操作。用户提供商品图片并要求“搜同款/找类似款/比价/加入购物车”时使用。优先执行本地脚本(save-taobao-cookie.js、verify-taobao-runner.js)完成全流程;当脚本失败或页面结构变化时回退 browser 工具手动执行。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 964 · 2 current installs · 2 all-time installs
byXR Gunner@lazygunner
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (Taobao image search, candidate compare, add-to-cart) matches the included scripts and test: save-taobao-cookie.js saves login state; verify-taobao-runner.js uploads an image, samples candidates, opens detail pages and attempts add-to-cart. No unrelated credentials or services are requested.
Instruction Scope
SKILL.md instructs the agent to run the local Playwright scripts first and fall back to the browser tool; the scripts read/write local artefacts (verification-artifacts/*) and interact with Taobao pages (navigations, clicks, screenshot capture). They do not attempt checkout/payment. This behavior is within scope but the agent (or operator) must explicitly allow interactive login and the scripts will store sensitive session state locally.
Install Mechanism
This is an instruction-only skill (no install spec). The code depends on Playwright; README suggests installing via 'npx playwright install chromium'. However, both runnable scripts require Playwright from an absolute path ('/opt/homebrew/lib/node_modules/playwright'), which is a machine-specific path and may cause failures on systems where Playwright is installed elsewhere.
Credentials
The skill requests no environment variables or external credentials. It creates and reads local files (user data dir and verification-artifacts) including 'taobao-storage-state.json' and a persistent browser profile directory — these files contain cookies/session tokens and should be protected as sensitive credentials, which is proportionate to the purpose but important to know.
Persistence & Privilege
The skill does not request 'always: true' or any elevated platform privileges. It writes only its own artifacts and a local browser profile in the repo directory, which is expected for browser automation and is limited in scope.
Assessment
This skill appears to do what it says: automate Taobao image search and add-to-cart with Playwright and fall back to a browser tool. Before installing or running it: 1) Install Playwright/Chromium and ensure the require path is correct (the scripts import Playwright from '/opt/homebrew/…' which may need editing to work on your machine). 2) Be aware the scripts will open a browser for you to log in and will save session state to verification-artifacts/taobao-storage-state.json and a .pw-user-data-taobao folder — treat those files like credentials (store/delete securely). 3) The code will attempt to add items to your cart (not place orders); confirm prompts/inputs when running. 4) Run initially in headed mode so you can observe/interrupt actions. 5) If you are uncomfortable storing Taobao session cookies locally or giving the script a browser profile, do not run it or delete the saved artifacts after use. If you want higher assurance, review the full verify-taobao-runner.js content (the file is provided) and test on an account without funds/items of value.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk973qrp8anfgh31xw1d78003a181kf3x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

淘宝图片搜索技能

执行策略

  • 优先执行脚本:save-taobao-cookie.jsverify-taobao-runner.js
  • 脚本失败或页面结构变化时,回退 browser 工具。
  • 默认不下单、不支付;仅搜索与加购。

输入要求

  • 必需:本地图片路径或会话中的图片。
  • 可选:预算、偏好(品牌/颜色/尺码)、仅搜索或加购。

若缺少关键输入,先补充最少问题(例如“是否直接加购?”、“预算上限是多少?”)。

主流程(脚本优先)

1. 准备登录态

先检查是否已存在登录态文件:

ls -la verification-artifacts/taobao-storage-state.json

若不存在或登录态过期,执行:

node save-taobao-cookie.js

执行后让用户在打开的淘宝页面完成登录,再在终端回车保存登录态。

2. 执行完整链路

node verify-taobao-runner.js --image /absolute/path/to/image.png

该脚本覆盖:

  1. 打开淘宝首页。
  2. 验证登录状态(未登录即中止并提示先登录)。
  3. 打开图搜弹窗并上传图片。
  4. 点击弹窗内搜索按钮(优先 #image-search-upload-button.upload-button.upload-button-active)。
  5. 采样候选商品并进入详情页。
  6. 点击加入购物车并检测成功提示。

脚本参数约定:

  • --image, -i:图片路径(默认 test.png)。
  • --headless / --headed:本地调试运行模式。
  • --delay-ms:为关键步骤追加等待时长(默认 2000,慢网可增大到 4000-8000)。
  • --engine:当前本地脚本仅支持 playwright
  • browser 工具在 OpenClaw 运行时由技能流程调用,不由该本地脚本直接调用。

3. 读取验证结果

脚本运行后读取:

  • verification-artifacts/result.json
  • verification-artifacts/run-log.txt
  • verification-artifacts/*.png(流程截图)

关键判定字段:

  • success:流程是否成功执行。
  • loginCheck.isLoggedIn:是否登录。
  • addToCart.success:是否加购成功。
  • addToCart.reason:失败原因(如有)。

回退流程(browser 工具)

仅在脚本执行失败、页面结构变化、或需要人工交互排障时使用。

1. 打开淘宝并校验登录

  • 打开 https://www.taobao.com
  • 校验昵称元素 .site-nav-login-info-nick.member-nick-info 是否可见。
  • 若未登录,提示用户先登录,再继续。

2. 上传图片并搜索

  • 点击相机/搜同款入口打开上传弹窗。
  • 上传图片。
  • 只点击弹窗内搜索按钮,优先:
    • #image-search-upload-button.upload-button.upload-button-active
    • .image-search-context-wrapper-active #image-search-upload-button.upload-button.upload-button-active
    • .image-search-context-wrapper-active .upload-button.upload-button-active[data-spm='image_search_button']
  • 上述失效时兜底:
    • .image-search-context-wrapper-active .upload-button:has-text('搜索')

3. 选品与加购

  • 分析候选商品并优先选择最相似商品。
  • 进入详情页点击“加入购物车”。
  • 若强制规格选择,先选默认规格再加购。
  • 用页面成功提示确认结果。

失败回退建议

  • 登录失败:重新运行 node save-taobao-cookie.js
  • 上传失败:重新打开图搜弹窗再上传。
  • 搜索按钮定位失败:优先使用上述弹窗按钮精确选择器。
  • 加购失败:检查规格选择、风控拦截或登录失效。

安全边界

  • 仅操作用户明确指示的商品。
  • 不执行“立即购买”“提交订单”“支付”动作。
  • 规格、数量、店铺偏好不明确时先确认。

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…