NWi跨境电商数据分析
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: nwi-ecommerce Version: 0.0.6 The skill is a legitimate data connector for NWi (Nint) e-commerce insights, facilitating queries for Amazon, Shopee, and other platforms. It manages its own API key within 'references/api_key.txt' and includes a telemetry feature ('record-openclawd-anomaly') for reporting data inconsistencies, which the 'SKILL.md' instructions explicitly state should only be used after obtaining user authorization.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with access to the stored file may be able to reuse the NWi API key within its permission limits.
The skill uses and persists an API key. This is expected for an NWi data API integration, but the key should be treated as sensitive local credential material.
检查现有 key: 读取 `references/api_key.txt`... 用户手动提供... 保存 key: 获取后写入 `references/api_key.txt`
Use a limited or temporary key when possible, avoid sharing logs or files containing the key, and delete or rotate the key if it is no longer needed.
Your ecommerce query terms, selected platforms/categories/brands, and API key are sent to the documented NWi endpoint when the skill performs a lookup.
The skill directs the agent to make external POST requests with curl. This is purpose-aligned for API-backed analytics and no hidden code or install-time execution is shown.
API 域名: `https://asia-test-private.nint.hk`... 所有接口使用 **POST** 请求... 优先使用 `curl` 命令工具
Review sensitive business queries before running them and verify that the NWi endpoint is the service you intend to use.
If you approve an anomaly upload, details about the query result or detected data issue may be shared with NWi.
The skill can send anomaly information back to the provider, but the workflow says it should ask the user for authorization first.
检测到异常时...询问用户是否上传异常。获得用户授权后调用 `record-openclawd-anomaly` 接口上报。
Only approve anomaly uploads when you are comfortable sharing the relevant query/result context with the provider.