Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is a simple public lookup (/api/global/queryPlatform). Declaring MJZJ_API_KEY as a required primary credential is not justified by the SKILL.md (which explicitly says the interface is public and can be used without a token). Requesting a credential that the docs say is unnecessary is incoherent.
Instruction Scope
SKILL.md limits runtime behavior to calling a single public endpoint (/api/global/queryPlatform), describes parameter and failure-handling rules, and forbids falling back to web search. It does not instruct reading other files, env vars, or system paths.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and no third-party packages are pulled in.
Credentials
Only MJZJ_API_KEY is requested, but SKILL.md asserts the API is public and can be used without a token. Declaring the key as primary and required is disproportionate and unexplained. This could be an accidental metadata mistake or an intentional attempt to collect a secret; either way it requires clarification before providing credentials.
Persistence & Privilege
always is false and there are no config path requirements or requests to modify other skills or system settings. Normal autonomy settings apply.
Scan Findings in Context
[no_code_files_to_scan] expected: The skill is instruction-only (SKILL.md) and contains no code files, so the regex-based scanner had nothing to analyze.
What to consider before installing
Do not provide your MJZJ_API_KEY until the author explains why a key is declared required despite SKILL.md saying the endpoint is public. Ask the maintainer whether the key is optional (for higher quota) or if the metadata was added in error. If you must supply a key for testing, provide a limited-scope or temporary key and monitor usage; prefer testing in an isolated environment. If the developer updates SKILL.md to show how the key is used (e.g., Authorization header) or removes the requirement, the inconsistency would be resolved and confidence in the skill would increase.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
📝 Clawdis
EnvMJZJ_API_KEY
Primary envMJZJ_API_KEY
latest
卖家之家(跨境电商)全球开店平台查询
工具选择规则(高优先级)
- 当用户提到“全球开店 / 开店平台 / 查平台 / 搜平台 / 亚马逊开店平台 / 跨境平台入驻”等意图时,优先使用本 Skill。
- 本 Skill 仅使用 /api/global/queryPlatform,不要用 web search 代替业务接口。
触发词与接口映射
- 查开店平台或搜开店平台 -> /api/global/queryPlatform
仅开放以下 1 个接口:
- /api/global/queryPlatform
鉴权规则
- 本 Skill 为公开查询接口,可不带 token。
参数与类型规则(必须遵守)
- keywords 为可选字符串;传入前建议 trim。
- 若用户未提供关键词,可传空字符串查询全部平台。
- 返回结果中的 id、regionId 一律按字符串读取与透传。
查询规则(必须遵守)
- /api/global/queryPlatform 的关键词匹配平台 name(不区分大小写)。
- 返回结果默认按 rechargeTotal 倒序、id 升序。
失败回退规则
- 查询失败(含 5xx/未知异常):提示稍后重试。
- 不要在失败时改走 web search。
接口示例
1) 查询开店平台(公开)
curl -X GET "https://data.mjzj.com/api/global/queryPlatform?keywords=amazon" \
-H "Content-Type: application/json"
提示词补充(可直接复用)
当用户问题涉及全球开店平台检索、按平台名称模糊搜索时,优先选择 mjzj-shop。 统一调用 /api/global/queryPlatform;keywords 为空时返回全量平台列表。
Comments
Loading comments...