立创商城自动化技能
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill openly automates LCSC/JLC browser workflows, but it can change carts, place orders, use logged-in sessions, and upload design files without clear approval safeguards.
Review this skill before installing. It is not clearly malicious, but you should use it only with explicit instructions, confirm before any cart/order/payment/upload action, and consider a dedicated browser profile to limit account-session exposure.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change a cart, start order workflows, or interact with order information if the user request is ambiguous or not carefully confirmed.
The skill authorizes browser actions that can mutate an e-commerce/manufacturing account or expose order data, but the artifact does not specify approval gates, limits, or rollback guidance for high-impact actions.
加入购物车 ... 查看/管理购物车 ... BOM 配单 ... PCB/SMT 下单 ... 查看订单状态、物流信息
Use read-only browsing by default and require explicit user confirmation before adding to cart, submitting orders, making payments, changing account data, or uploading manufacturing files.
If misused, browser JavaScript evaluation could alter page state or bypass normal UI-only interaction patterns.
The skill documents JavaScript evaluation inside the automated browser. This is disclosed and related to browser automation, but it is a broad escape hatch compared with scoped click/fill/snapshot commands.
`eval "js expression" | 执行 JavaScript` ... `eval 作为补充`
Prefer scoped browser commands and reserve eval for minimal, user-approved, site-specific inspection or interaction.
The agent may be able to access order history, logistics information, and authenticated LCSC/JLC pages if a browser session is available.
The skill can operate in a logged-in browser context and documents cookie/session commands while also covering order and logistics pages. This is purpose-aligned for account automation but involves sensitive authentication and account data.
`sessions` 列出活动会话 ... `cookies [import|export]` 管理 cookies ... 查看订单状态、物流信息
Use a dedicated browser profile when possible, avoid exporting cookies, and only log in or share session access when you trust the workflow.
The actual behavior depends on the locally installed camoufox-cli binary, which was not reviewed as part of this artifact set.
The skill relies on a local external binary that is not included in the artifacts and is not declared through an install specification or required-binary metadata.
camoufox-cli 路径: `/opt/homebrew/bin/camoufox-cli`; 必须使用上面的完整路径调用 camoufox-cli
Install camoufox-cli only from a trusted source, verify the path and version, and prefer metadata that declares required binaries.
Using the skill may disclose component lists, PCB designs, or manufacturing details to the external provider.
The BOM and PCB/SMT workflows involve uploading user-selected files to LCSC/JLC web pages. That is expected for the stated purpose, but BOMs and PCB files can contain sensitive business or design information.
上传 BOM 表或填写型号 ... 填写参数、上传文件
Confirm the exact files and destination before upload, and avoid using confidential design files unless the provider and account are appropriate.