1688-88syt
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears aligned with its stated 1688 B2B transaction purpose, but it uses an account AK and can perform real order and refund-related actions, so users should confirm write operations carefully.
This skill is reasonable for managing 1688 88生意通 purchase orders, but it has real account authority. Install only from a source you trust, protect the AK, and do not approve create/sign/refund/confirm-receipt/invalidate actions unless the order details and business intent are correct.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a write command is confirmed incorrectly, it could change a real business transaction or funds-related workflow.
The skill exposes commands that can mutate purchase orders and transaction state, including receipt confirmation and refund application. The artifact also requires confirmation, so this is disclosed and purpose-aligned rather than suspicious.
写入 | create-order, sign-order, sign-reject, confirm-receipt, invalidate-order, refund-apply | 必须先确认用户意图;涉及资金/状态变更的操作须二次确认
Before approving write operations, verify the order number, role, counterparty, amount, and intended action; require explicit second confirmation for refunds, receipt confirmation, rejection, or invalidation.
Anyone or any agent process with access to that AK/configuration could potentially perform the supported 88生意通 actions for the account.
The configure capability persists the user's AK in OpenClaw configuration so later API calls can act under the user's 1688 account authority.
skill_entry["apiKey"] = api_key
Only provide the AK in a trusted environment, avoid sharing it in normal chat beyond the intended setup flow, and rotate/regenerate it if you suspect exposure.
Installing from a moving Git branch can fetch code that differs from the reviewed package.
The README suggests installing from a remote Git repository without pinning a specific commit. This is user-directed and not an automatic install step, but users should be aware of provenance.
请帮我安装这个 skill:git clone https://github.com/next-1688/1688-88syt.git
Prefer the reviewed registry package or pin and inspect a specific commit if installing from GitHub.