卖家之家(跨境电商)资讯搜索与发布
PassAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated MJZJ search-and-publishing purpose, but it can use your MJZJ API key to upload images and publish articles under your account.
Install only if you intend to let the agent search MJZJ and help publish MJZJ articles. Keep the MJZJ_API_KEY private, ask the agent to show a full preview before publishing, and revoke the key if you stop using the skill.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands the user or skips review, it could publish an article or upload images under the user's MJZJ account.
The workflow instructs the agent to download/upload article images and then call the article creation endpoint. This is expected for a publishing skill, but it is an account-changing/publication action.
对每一张图片分别下载文件...使用该 `putUrl` 将图片文件上传到 COS... 5. 调用 `/api/articleManage/create` 发布文章
Before the final `/api/articleManage/create` call, require the agent to show the title, content, author, tags, publish time, and image list, and get explicit user confirmation.
Anyone or any agent using this configured key could act within the key's MJZJ permissions for the listed operations.
The skill uses the user's MJZJ API key for authenticated endpoints that can query private account data, upload files, and publish articles.
其余 6 个接口:需要 - `Authorization: Bearer $MJZJ_API_KEY`
Use a dedicated, least-privilege MJZJ API key if available, store it only in the skill configuration, and rotate or revoke it when no longer needed.