kuaishou-lifeservice-business-assistant
v1.0.0快手生活服务-商家经营助手,为商家提供查询商品、查询商家门店、查询商家职人、查询商家官方账号、查询商家子账号、查询商家的经营数据等能力;
⭐ 0· 126·0 current·0 all-time
bykuaishou-lifeservice@qingfeng9924
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description describe a Kuaishou merchant assistant and the code + docs implement many merchant-related API calls against Kuaishou domains (open.kwailocallife.com, lbs-open.kuaishou.com). Required binary (python3) and the single credential (an access token) are appropriate for this purpose.
Instruction Scope
SKILL.md and scripts instruct adding API credentials, running local Python scripts, and calling Kuaishou APIs. The instructions only reference local storage under ./.kuaishou-localife-token and Kuaishou endpoints; they do not instruct reading unrelated system files or sending data to non-Kuaishou endpoints.
Install Mechanism
This is instruction+script based with no install spec — no external downloads or package installs are performed by the skill bundle itself. All network calls in code point to Kuaishou domains. No high-risk URL downloads or archive extraction present.
Credentials
The skill declares a single primary environment credential (KWAI_ACCESS_TOKEN), which is proportionate. There is a minor inconsistency: the codebase primarily supports app_key#merchant_id#app_secret managed via local files and has a get_access_token flow that fetches/caches tokens; other docs mention exporting ACCESS_TOKEN. The dual modes are reasonable but the declared required env var name may not be strictly necessary if the api_key manager is used.
Persistence & Privilege
The skill writes token and account context files under a local directory (./.kuaishou-localife-token/) — this is expected for caching credentials. always is false and the skill does not request system-wide privileges or modify other skills. Local persistence and file I/O are limited to its own token directory.
Assessment
This package appears to be a straightforward client for Kuaishou merchant APIs. Before installing or running it:
- Confirm you trust the source (homepage and owner) and that those domains (open.kwailocallife.com, lbs-open.kuaishou.com) are legitimate for your organization.
- Understand credential handling: the skill accepts either an ACCESS_TOKEN environment variable or app_key#merchant_id#app_secret stored via the provided api_key_manager; both approaches will result in tokens being cached to ./ .kuaishou-localife-token/. If you prefer not to persist secrets to disk, avoid using the api_key manager and provide only a short-lived token at runtime.
- Protect the local token directory (set appropriate filesystem permissions) since it contains credentials.
- Review the scripts yourself (they are included) if you have stricter security requirements — network calls are limited to Kuaishou domains only.
- If you are unsure about the declared env var name (KWAI_ACCESS_TOKEN vs ACCESS_TOKEN), test the flow in a safe environment: either set the env token or add/select an app_key context via scripts/api_key_manager.py.
Overall the skill is internally coherent for its described function; the main caution is to manage and protect the access token/app secret material appropriately.Like a lobster shell, security has layers — review code before you run it.
latestvk97aksjxhtj0qjk74exz0khk3983gcth
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏪 Clawdis
Binspython3
EnvKWAI_ACCESS_TOKEN
Primary envKWAI_ACCESS_TOKEN