Audtools Ecommerce Category Collector
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing or running the skill may use or expose the embedded Audtools account, and actions taken by the agent could affect that account's data, quota, or service access.
The script hardcodes an Audtools phone number and password even though the registry declares no primary credential or required environment variables.
username: '15715090600', password: 'zzw12345'
Remove hardcoded credentials, require the user to provide their own credentials through a declared secret/config mechanism, and document exactly which account permissions are needed.
A mistaken CSV path or large directory could cause many Audtools collection/export actions under the logged-in account.
The skill intentionally drives a browser to log in, submit collection tasks, select all collected products, and trigger export.
自动登录、提交采集任务,自动全选所有已采集商品并触发导出
Use test mode first, verify the CSV contents, prefer explicit item limits, and use --no-export unless automatic export is intended.
Installing dependencies may fetch a newer compatible package version than the one originally tested.
The README instructs npm install, and the dependency version is specified with a caret range rather than an exact pinned version.
"dependencies": {
"csv-parse": "^5.5.0"
}Review the dependency source and consider using a lockfile or pinned dependency version for reproducible installs.