Vinehoo Product Search
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to perform the described wine product search and statistics tasks using included Node scripts, with no evidence of hidden credential use, persistence, or destructive behavior.
This skill looks coherent for searching Vinehoo wine products. Before installing, be comfortable with it running Node.js scripts and sending your search terms or filters to wxapp.vinehoo.com; avoid putting sensitive personal information into searches.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms and filters are used to run local helper commands; poorly handled shell quoting could cause incorrect command behavior.
The skill directs the agent to execute local Node scripts with parameters derived from the user's request. This is expected for the skill, but user-provided values should be passed safely as arguments.
执行 `node scripts/search_products.js --page <页码> --limit <数量> --keywords "<关键词>" ...`
Use the included scripts only for the documented search/statistics tasks and ensure user-entered values are treated as command arguments, not shell syntax.
Wine search queries and filter values may be shared with the Vinehoo service.
The script sends the search payload to an external Vinehoo endpoint. This is disclosed and purpose-aligned, but it means search keywords and filters leave the local environment.
const API_URL = 'https://wxapp.vinehoo.com/openai/v3/product/list'; ... req.write(JSON.stringify(data));
Avoid entering private or sensitive personal information as search keywords, and verify product links before making purchases.
The skill may fail if Node.js is unavailable, despite the metadata not declaring it as a required binary.
The skill has no package dependencies, but it still depends on a Node.js runtime while the registry requirement section lists no required binaries.
依赖说明:使用 Node.js 原生 https 模块,无需额外安装依赖
Confirm Node.js is available before use; no additional packages appear necessary.