闲鱼自动回复助手
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a coherent Xianyu auto-reply bot, but it requires a full browser cookie and can run in the background to automatically send AI-generated messages from the user’s account.
Only install this if you fully trust the publisher and are comfortable giving the skill a browser cookie that can act as your Xianyu account. Start in a supervised or review-before-send mode if possible, verify what AI CLI/provider will receive buyer and product data, monitor logs, keep the stop command handy, and delete ~/.xianyu-agent if you want to remove the cookie and stored chat history.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the cookie or config file is exposed, someone may be able to access the user’s Xianyu session or send messages as the user.
The skill requires a full browser session cookie and uses it to act as the user, including sending replies. This is a broad account credential, not a scoped integration token.
Cookie 是浏览器保存的登录凭证...程序用它来...以你的身份发送回复...Cookie 只保存在你本地的 `~/.xianyu-agent/config.json`
Use an official scoped OAuth/API token if available, clearly declare the cookie as a sensitive credential, restrict config file permissions, and provide clear revocation and deletion steps.
The bot could send incorrect, misleading, or unwanted replies to buyers, affecting sales, disputes, or account reputation.
The workflow automatically sends AI-generated messages through the user’s marketplace account. This is purpose-aligned but high-impact because it mutates account communications without per-message confirmation.
收到买家消息后,调用本地已安装的 AI CLI 工具...生成卖家回复...将 AI 生成的回复通过闲鱼消息系统发送给买家
Default to review-before-send or dry-run mode, add per-item and per-conversation controls, rate limits, audit logs, and an obvious emergency stop.
A malicious or playful buyer may be able to influence the AI into sending off-policy, embarrassing, or business-damaging messages.
Buyer-controlled text is included directly in the AI prompt. Because the generated output is later sent automatically, a buyer could attempt prompt injection to manipulate the reply.
买家消息、商品信息、对话历史作为 prompt 传入
Treat buyer messages as untrusted data, separate system instructions from quoted user content, add stronger injection handling, and require human approval for suspicious conversations.
Buyer messages, product details, and conversation history may be exposed to the configured AI CLI/provider or to an agent with broader permissions than expected.
The skill passes the generated prompt to a separate AI CLI or agent. The artifacts do not clearly bound that agent’s provider, tool permissions, retention, or data handling.
cmd = ['claude', '-p', '--max-turns', '1', prompt] ... cmd = ['openclaw', 'agent', '--prompt', prompt]
Explicitly document the AI data flow, disable tools for the reply-generation agent where possible, redact sensitive data, and let users choose or approve the model/provider.
Users may believe their chat and product data only touches Xianyu systems when it may also pass through their AI CLI setup.
The privacy/network statement may mislead users because the skill also relies on external AI CLI tooling for reply generation, and the prompt includes buyer/chat/product context.
**网络连接**:仅与闲鱼官方域名通信...不连接任何第三方服务。...调用本地已安装的 AI CLI 工具(`claude -p` 或 `openclaw agent`)
Revise the disclosure to distinguish Xianyu API traffic from AI-provider traffic and state exactly what data is sent to the AI CLI.
Old buyer messages and product details remain on the machine and may influence future replies or be exposed if the local account is compromised.
The skill stores chat messages and item data in a local SQLite database. This is disclosed and purpose-aligned, but it creates persistent local memory that can be reused in later prompts.
CREATE TABLE IF NOT EXISTS messages ... content TEXT NOT NULL ... CREATE TABLE IF NOT EXISTS items
Provide retention limits, a deletion command, file-permission hardening, and clear instructions for removing ~/.xianyu-agent data.
The auto-reply process may keep sending messages until the user stops it or the cookie expires.
The skill intentionally starts a background monitor and records its PID. This is disclosed and includes stop instructions, but users should notice the service continues after setup.
cd ~/.xianyu-agent && python3 xianyu_monitor.py >> logs/monitor.log 2>&1 & echo $! > ~/.xianyu-agent/monitor.pid
Make startup confirmation explicit, show the stop command after launch, and consider automatic shutdown or scheduled operating hours.
Users have less provenance information to decide whether to trust code that can act through their marketplace account.
The published package lacks an upstream source or homepage, which matters more because the skill handles account cookies and background automation.
Source: unknown; Homepage: none
Publish a verifiable source repository, changelog, and maintainer documentation for the reviewed scripts.