JD Price Protection 京东自动价保
Auto-apply JD.com (京东) price protection on all eligible orders. Connects to Chrome via OpenClaw Browser Relay CDP, navigates to JD price protection page, cli...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 364 · 4 current installs · 4 all-time installs
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to drive JD.com pages via the OpenClaw Browser Relay and the included script does exactly that: derives a relay token, connects to a local CDP websocket, finds/navigates to the JD price-protection page, clicks '申请价保' buttons, and collects results. Required accesses (gateway token or ~/.openclaw/openclaw.json) are coherent with the stated purpose.
Instruction Scope
SKILL.md and the script are aligned on the core workflow. Minor inconsistencies: SKILL.md suggests scheduled runs should 'skip silently' when the Chrome relay is disconnected, but the script throws errors like 'No gateway token found' or 'No browser page available' and exits non-zero—so scheduled behavior may not be as silent as described. The script reads only the gateway token from ~/.openclaw/openclaw.json (or GATEWAY_TOKEN) and otherwise operates only through the browser; it does not call external network endpoints from Node itself.
Install Mechanism
There is no install spec (instruction-only), which reduces surface risk. However the script requires Node and the 'playwright-core' module; neither Node nor dependency installation is documented in SKILL.md. The script tries to require 'playwright-core' (including a fallback path), so users must ensure playwright-core is installed in their environment before running.
Credentials
The script needs only the OpenClaw gateway token (from GATEWAY_TOKEN env var or ~/.openclaw/openclaw.json) to derive the relay token — this is proportional because the relay token is what authorizes CDP access to the user's browser. No other credentials or unrelated secrets are requested.
Persistence & Privilege
The skill does not request persistent 'always' inclusion or modify other skills/config. However it exercises a high-impact capability at runtime: it controls the user's browser (pages and clicks) while the user is logged in to JD. That privilege is expected for this task but is powerful — the script will act with the authority of the logged-in session, so the user should only run it for trusted code and contexts.
Assessment
This skill appears to implement exactly what it claims (automatically apply price-protection requests in your JD account) and doesn't contact unexpected remote servers, but take these precautions before installing or running it:
- Code review: inspect scripts/price-protect.js yourself (it's included) or have someone you trust review it before running.
- Gateway token: the script reads your OpenClaw gateway token from ~/.openclaw/openclaw.json or GATEWAY_TOKEN. That token lets the script control your browser via the relay; do not provide it to untrusted skills or services.
- Dependencies: the SKILL.md omits runtime deps — install Node and playwright-core (or ensure your environment already provides it) before running.
- Test manually first: run the script manually while watching the browser to ensure it clicks only expected elements and behaves correctly; do not enable as an unattended cron job until satisfied.
- Run in a contained profile: consider using a separate Chrome profile where only the needed JD account is logged in to limit side effects.
- Scheduled behavior: be aware the script may exit with an error if the gateway/relay is disconnected (contrary to the 'skip silently' phrasing in the doc); wrap cron invocation to handle non-zero exit codes if you want silent behavior.
If you are not comfortable with code that can drive your logged-in browser, do not install or run this skill. If you proceed, keep your gateway token secret and run the script in a controlled environment first.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download zipautomationbrowserchinajdlatestprice-protectionshopping
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
JD Price Protection
Auto-apply price protection (价格保护) on all eligible JD.com orders via Chrome Browser Relay.
Prerequisites
- Chrome with OpenClaw Browser Relay extension installed and connected (badge ON)
- User must be logged into JD.com in Chrome
- OpenClaw gateway running
Usage
Run the script:
node <skill-dir>/scripts/price-protect.js
The script will:
- Connect to Chrome via OpenClaw's CDP relay (auto-derives relay token from gateway config)
- Navigate to
https://pcsitepp-fm.jd.com/if needed - Click every "申请价保" button on the page
- Reload and collect results (successes with refund amounts, failures with reasons)
- Output JSON results
Interpreting Results
{
"total": 11,
"clicked": 11,
"success": [{"name": "ANKER 140W充电线...", "amount": "6.00"}],
"failed": [{"name": "KAMAN收纳盒...", "reason": "无差价"}]
}
- Only notify user if
successarray is non-empty (refunds obtained) - If all items show "无差价", update state silently
Scheduled Usage
Set up a cron job to run every ~8 hours. Example agent prompt:
Run
node <skill-dir>/scripts/price-protect.js. If Chrome relay is disconnected (error), skip silently. If refunds found, notify user. Otherwise update checkedAt silently.
Troubleshooting
- "No browser page available": Chrome relay disconnected. User must click Browser Relay toolbar icon.
- "No gateway token found": Set
GATEWAY_TOKENenv var or ensure~/.openclaw/openclaw.jsonhasgateway.auth.token. - Timeout on clicks: A popup may be blocking. Script presses Escape after each click to dismiss.
How It Works
Derives the relay auth token via HMAC-SHA256(gatewayToken, "openclaw-extension-relay-v1:<port>"), connects Playwright to Chrome's CDP websocket, then uses getByText('申请价保', {exact: true}).click() to trigger each button.
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…