Taobao Image Search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs the full workflow for a search or comparison request, it may add an unintended product, size, or color to the user's cart.
The primary workflow automatically chooses a candidate item and adds it to the user's Taobao cart, which mutates the user's account state.
该脚本覆盖:... 4. **选品采样**:采样候选商品并进入详情页。 5. **自动加购**:点击加入购物车并检测成功提示。
Only run this skill when you explicitly want cart changes, and require the agent to show the selected item and get confirmation before adding it to the cart.
Anyone or any process with access to those files may be able to reuse your Taobao session.
The skill stores active Taobao session credentials locally so it can automate logged-in actions.
会话持久化:为实现自动化登录,本技能会将浏览器会话(Cookies 和 Storage State)保存至本地。路径:`verification-artifacts/taobao-storage-state.json` 与 `.pw-user-data-taobao/`。
Use this only on a trusted machine, do not share the generated artifact directories, and delete the listed files when finished.
The installed dependency and browser binary become part of the trusted execution path for this skill.
The skill requires installing an unpinned npm package and browser runtime, which is common for Playwright automation but still expands local supply-chain trust.
install: - npm install playwright - npx playwright install chromium
Install from trusted networks, consider pinning Playwright versions, and review dependency provenance before use.
Running the skill allows local scripts to control a browser, upload the selected image, write logs/screenshots, and operate on the Taobao session.
The skill is designed to execute local Node.js automation scripts; this is central to its purpose but should be recognized as local code execution.
优先执行脚本:`run-taobao-task.js`。 ... node run-taobao-task.js --image /absolute/path/to/image.png --headed
Review the included scripts, run them from a trusted directory, and avoid providing sensitive images unless you intend to upload them to Taobao.