NWi跨境电商数据分析
PassAudited by ClawScan on May 9, 2026.
Overview
The skill appears purpose-aligned for ecommerce analytics, but it needs/stores an NWi API key and sends queries or approved anomaly reports to NWi services.
This skill is coherent and has no included executable code, but before installing you should verify that you trust the NWi provider endpoint, use a limited API key if possible, and be cautious about approving anomaly uploads or entering sensitive business queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with access to the stored file may be able to reuse the NWi API key within its permission limits.
The skill uses and persists an API key. This is expected for an NWi data API integration, but the key should be treated as sensitive local credential material.
检查现有 key: 读取 `references/api_key.txt`... 用户手动提供... 保存 key: 获取后写入 `references/api_key.txt`
Use a limited or temporary key when possible, avoid sharing logs or files containing the key, and delete or rotate the key if it is no longer needed.
Your ecommerce query terms, selected platforms/categories/brands, and API key are sent to the documented NWi endpoint when the skill performs a lookup.
The skill directs the agent to make external POST requests with curl. This is purpose-aligned for API-backed analytics and no hidden code or install-time execution is shown.
API 域名: `https://asia-test-private.nint.hk`... 所有接口使用 **POST** 请求... 优先使用 `curl` 命令工具
Review sensitive business queries before running them and verify that the NWi endpoint is the service you intend to use.
If you approve an anomaly upload, details about the query result or detected data issue may be shared with NWi.
The skill can send anomaly information back to the provider, but the workflow says it should ask the user for authorization first.
检测到异常时...询问用户是否上传异常。获得用户授权后调用 `record-openclawd-anomaly` 接口上报。
Only approve anomaly uploads when you are comfortable sharing the relevant query/result context with the provider.