ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Audtools Ecommerce Category Collector

自动从Audtools电商采集工具批量提交分类链接采集任务。支持从CSV文件读取collections链接,自动登录、提交采集任务,并管理多个tab页面的生命周期。当需要通过Audtools批量采集电商分类商品时使用此技能。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 47 · 0 current installs · 0 all-time installs
by@qirongzhang
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (batch-submitting collection links to Audtools and exporting results) aligns with the code and SKILL.md: the script reads CSVs, opens the Audtools page, logs in, submits tasks and triggers exports. However the skill embeds a concrete Audtools username/password in both SKILL.md and scripts/collector.js instead of declaring credentials as required environment variables or prompting the user. That is a mismatch between what the skill claims to need (an Audtools account) and how it manages credentials (hardcoded).
!
Instruction Scope
Runtime instructions and the script perform wide browser automation: reading CSV files from disk, opening the Audtools site, performing login, opening/closing tabs, executing DOM-level clicks and form fills, and triggering downloads. This is expected for the stated task, but the SKILL.md/code explicitly bake in an account (phone+password) and instruct editing the script to set credentials — that grants the skill direct access to an account without any declared credential handling. The script also uses browser.evaluate() to run arbitrary JS inside pages (normal for browser automation but powerful), so you should only run it against sites and accounts you trust. The SKILL.md is prescriptive about using a specific account (15715090600 / zzw12345) which is unexpected and suspicious.
Install Mechanism
No install spec in the registry (instruction-only skill plus code files). package.json lists one dependency (csv-parse) and README suggests running npm install — this is reasonable and proportional. Because there's no installer that downloads arbitrary binaries/archives from unknown hosts, the install risk is low. The skill does run as a Node script, so normal npm hygiene applies.
!
Credentials
The skill requests no environment variables or credentials in metadata, yet the code and documentation include a hardcoded username and password. Requiring or embedding credentials in code is insecure and inconsistent with the declared requirements. The skill also reads CSV files from arbitrary paths (expected) but does not declare any permission model for uploads/downloads. The presence of a shell helper import (child_process.execSync) in the script is not explained in SKILL.md and may be disproportionate unless used only for benign local operations; its usage should be inspected before running.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges in the metadata. It operates as a runtime script that opens browser tabs via the platform API; that is consistent with its purpose. There is no evidence it modifies other skills or system agent configurations. Note: autonomous invocation is enabled by default (disable-model-invocation=false), which is normal for skills but increases blast radius when combined with embedded credentials — consider that when deciding whether to allow autonomous runs.
What to consider before installing
Key things to consider before installing or running this skill: - Hardcoded credentials: SKILL.md and scripts/collector.js include a concrete Audtools account (phone: 15715090600, password: zzw12345). Do not assume that account is yours or safe to use. Treat these as a red flag — either remove them or replace with your own credentials. Prefer storing credentials in environment variables or the platform's secret store rather than editing code. - Inspect the code before running: review scripts/collector.js end-to-end (including the truncated portion) to see exactly what execSync is used for and what the script does after triggering downloads. Search for any network requests, remote endpoints, or calls that could exfiltrate data. - Test in a sandbox: run in a controlled environment (test account, isolated machine or VM) and with test CSV files (use --test) before pointing it at production accounts or large datasets. - Principle of least privilege: create or use an Audtools account with minimal permissions and no sensitive data for automation. Do not reuse administrative or personal credentials embedded by the skill. - Replace hardcoded secrets: if you decide to use the skill, move username/password into environment variables and update the code to read from them; update metadata to declare the required env vars so the platform can surface that requirement to users. - If you need more assurance: ask the author (or request full source) to explain why execSync is imported and to document every external action (downloads, file writes). If the author cannot justify the embedded account or shell usage, avoid running the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk978hgqvev48nw1bqctk5f7zhs839zv6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

电商分类采集技能

描述

自动从Audtools电商采集工具批量提交分类链接采集任务,并支持对已采集商品执行全选导出。支持从CSV文件读取collections链接,自动登录、提交采集任务,自动全选所有已采集商品并触发导出。

使用场景

  • 批量处理电商网站分类链接采集
  • 自动化重复的采集任务提交
  • 自动化全选导出已采集商品
  • 处理大量分类链接数据

前置条件

  1. Audtools账号(手机号:15715090600,密码:zzw12345)
  2. 有效的商品采集工具服务(当前剩余26天)
  3. CSV文件包含"完整链接"列

使用方法

基本命令

# 使用单个CSV文件(提交采集 + 自动全选导出)
/collect-categories /path/to/your/file.csv

# 使用目录下的所有CSV文件
/collect-categories /path/to/directory/

# 指定采集商品数(默认9999)
/collect-categories /path/to/file.csv --items 5000

# 指定操作间隔(默认2秒)
/collect-categories /path/to/file.csv --interval 3

# 指定tab关闭延迟(默认3秒)
/collect-categories /path/to/file.csv --close-delay 5

# 测试模式(只处理前3条)
/collect-categories /path/to/file.csv --test

# 只提交采集,不执行导出
/collect-categories /path/to/file.csv --no-export

CSV文件格式要求

必须包含"完整链接"列,其他列可选:

完整链接,分类路径,域名,1级分类,2级分类,3级分类
https://zaraoutlet.top/collections/woman-collection-blazers,woman-collection-blazers,zaraoutlet.top,Women,Blazers,
https://zaraoutlet.top/collections/woman-collection-bodies,woman-collection-bodies,zaraoutlet.top,Women,Bodies,

工作流程

  1. 读取CSV文件并验证格式
  2. 打开主采集页面,检查登录状态,如未登录则自动登录
  3. 对每条链接:
    • 输入collections链接和采集商品数
    • 提交采集任务
    • 点击进入已采集商品详情页(新标签)
    • 自动全选所有商品(针对layui-table特殊处理,支持表头全选或逐个勾选)
    • 填入分类路径
    • 点击导出按钮触发下载
    • 关闭详情标签页
  4. 等待指定间隔后处理下一条链接

技能文件结构

ecommerce-category-collector/
├── SKILL.md              # 技能说明文档
├── scripts/
│   └── collector.js      # 主要采集脚本
├── references/
│   └── csv-format.md     # CSV格式参考
└── test/
    └── sample.csv        # 测试数据

配置参数

参数默认值说明
audtools_urlhttps://www.audtools.com/users/shopns#/users/shopns/collecs?spm=m-1-2-3采集页面URL
username15715090600登录手机号
passwordzzw12345登录密码
default_items9999默认采集商品数
default_interval2000默认操作间隔(毫秒)
default_close_delay3000默认tab关闭延迟(毫秒)
exportWaitTimeout30000导出等待超时(毫秒)

错误处理

  • CSV文件不存在或格式错误 → 提示用户检查文件
  • 登录失败 → 提示检查账号密码
  • 网络连接问题 → 重试机制
  • 页面元素找不到 → 智能等待和重试

注意事项

  1. 免费会员每条任务最多采集10个商品
  2. 分类采集不支持二级分类
  3. 确保collections链接格式正确
  4. 操作间隔避免触发反爬机制
  5. 建议在非高峰时段批量操作

更新日志

  • v1.0.0 (2026-03-18): 初始版本,支持基本采集功能

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…