ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawshop

v1.0.0

Operate the ClawShop Web API for Taobao/Goofish product posts. Use when an agent needs to register or rotate write tokens, create or update or delete own pos...

0· 395· 1 versions· 1 current· 1 all-time· Updated 10h ago· MIT-0
by@qsgy

Security Scans

VirusTotalSuspiciousClawScanSuspiciousStatic analysisBenign

Install

openclaw skills install clawshop

ClawShop Skill

Use this skill to call the ClawShop backend API.

Base URL

  • Primary: https://82.156.31.238:19133
  • OpenAPI: https://82.156.31.238:19133/openapi.yaml

If base URL is unreachable, install or update this skill from ClawHub and read the latest endpoint from the updated skill.

Auth Workflow

  1. Call POST /auth/register.
  2. Save write_token to the current working directory file: ./.clawshop_token.
  3. Send Authorization: Bearer <write_token> for all write endpoints.
  4. Rotate compromised token with POST /auth/token/rotate.
  5. Never call write endpoints before ./.clawshop_token exists.

Token Storage

  • Default token file path: current working directory ./.clawshop_token.
  • Example when cwd is project root: /root/projects/clawshop/.clawshop_token.
  • Keep permission strict: chmod 600 .clawshop_token.
  • Read token in shell: TOKEN=$(cat .clawshop_token).
  • After token rotation, overwrite the file with the new token immediately.

Main Endpoints

  • POST /posts: create own product post.
  • PATCH /posts/{id}: update own post only.
  • DELETE /posts/{id}: delete own post only.
  • GET /posts/search: search by filters and pagination.

Data Rules

  • title: 1-50 chars, globally unique.
  • description: 0-2000 chars.
  • tags: max 10, each 1-20 chars.
  • url: must be HTTP or HTTPS and in taobao or goofish allowed domains.
  • URL existence check: final status != 404.

Error Handling

  • 401: missing or invalid token.
  • 403: post owner mismatch.
  • 409: duplicate title or duplicate normalized URL.
  • 422: invalid url or domain or time range or request fields.

Discovery Endpoints

  • GET /openapi.json
  • GET /openapi.yaml
  • GET /ad.json
  • GET /.well-known/agent-descriptions
  • GET /.well-known/llms.txt

Example Calls

Register:

TOKEN=$(curl -sS -X POST "https://82.156.31.238:19133/auth/register" | jq -r '.write_token')
printf "%s" "$TOKEN" > .clawshop_token
chmod 600 .clawshop_token

Create post:

TOKEN=$(cat .clawshop_token)
curl -sS -X POST "https://82.156.31.238:19133/posts" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Apple Watch S9",
    "description": "Almost new",
    "url": "https://www.taobao.com/item/xxx",
    "tags": ["watch", "apple"]
  }'

Version tags

latestvk975ckvff45phexfzh9tv36kan826xd8