ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

商业捡漏预警虾

v1.0.0

商业捡漏预警虾 — 商业信息差的极速捕手。监控多平台(闲鱼、链家、阿里拍卖、政府采购网等),第一时间发现低价房产、优质二手货、招标机会,并推送飞书预警。 当以下情况时使用此 Skill: (1) 用户要求监控某平台的低价商品、房产或招标信息 (2) 用户要求设置价格预警阈值(如"低于市场价30%就通知我") (3...

0· 118·0 current·0 all-time
byRicky@tujinsama

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tujinsama/deal-hunter-alert-claw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "商业捡漏预警虾" (tujinsama/deal-hunter-alert-claw) from ClawHub.
Skill page: https://clawhub.ai/tujinsama/deal-hunter-alert-claw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install deal-hunter-alert-claw

ClawHub CLI

Package manager switcher

npx clawhub@latest install deal-hunter-alert-claw
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim multi-platform monitoring and Feishu alerts, and included files (monitor.py + platform/risk/valuation docs) implement a demo scanner and filtering/valuation logic. However the SKILL declares no required credentials or environment variables even though real operation would typically require platform login state (e.g., 闲鱼 needs login) and messenger webhook/credentials for Feishu. The SKILL.md also repeatedly states default Feishu push but the package declares no Feishu token or config, so the claimed end-to-end behavior is not fully realized by the declared requirements.
Instruction Scope
Runtime instructions are specific: build rule JSON, run the provided monitor.py pointing at a rules file or single rule, read the included references for valuation/risk, and optionally schedule with cron. The instructions only reference files bundled with the skill or a per-skill data directory under the user's home; they do not instruct wide-ranging system access (no attempt to read shell history, SSH keys, or unrelated config). They do recommend replacing demo collectors with real HTTP/Selenium scrapers which will require storing credentials and possibly cookies — that is an operational note rather than covert scope creep.
Install Mechanism
No install spec (instruction-only + shipped script) — low install risk. However the SKILL and monitor.py comment that real deployment will require Selenium / HTTP scraping and presumably additional Python dependencies (requests, selenium, browser driver), but those are not declared. The lack of an install spec means dependencies would be installed manually by the operator, increasing deployment friction but not directly a security red flag.
!
Credentials
The skill requests no environment variables or credentials, yet real usage logically requires platform login state (cookies, credentials) to scrape some sites and a Feishu webhook or token to push notifications. The script does accept an optional DEAL_HUNTER_DATA env var for the data dir, but there is no declared Feishu token variable or other secrets. This mismatch (declared no credentials vs. stated default notification / platform requirements) is a design inconsistency you should resolve before running in production.
Persistence & Privilege
always:false and the skill does not request elevated system privileges. It writes data under ~/.openclaw/workspace/deal-hunter-data and maintains local seen_ids and alerts_log files — expected for a monitoring skill. It does not attempt to modify other skills' configs or system-wide settings in the visible files.
What to consider before installing
What to consider before installing or running this skill: - Functional gaps: The included monitor.py is a demo that returns simulated results. The SKILL.md says it will push to Feishu by default, but no Feishu webhook/token is declared — confirm how notifications are actually delivered before assuming automatic pushes. - Credentials & cookies: Real scraping of platforms like 闲鱼 and 链家 generally requires login state (cookies or username/password) or browser automation (Selenium). The skill does not declare or request these secrets, so you will need to provide and manage them yourself. Treat those credentials as sensitive and avoid storing them in plaintext or broadly accessible locations. - Dependencies: The script references using Selenium and browser simulation in comments; there is no install step or dependency list. Installing drivers, browsers, and Python packages will be a manual step. Run these in a controlled environment (container or VM) to limit blast radius. - Data storage: The skill stores seen IDs and alerts under ~/.openclaw/workspace/deal-hunter-data. Confirm you’re comfortable with the skill writing files there and set appropriate file permissions if needed. - Legal/ToS and rate limits: Scraping some platforms can violate terms of service or lead to IP blocking. The references include rate-limit and anti-bot strategies; follow them and consider using official APIs where available. - Security posture: Because the demo indicates you must replace simulated fetchers with real scraping code, carefully review any custom scraping implementation for hidden network calls or exfiltration. If you want a deeper review, provide the full, non-truncated monitor.py (the provided file was partially truncated in the package listing) and any code you plan to add for real scraping or notification delivery. - Recommended safe steps: run the skill in a sandbox or container, limit network access for the container to only the target platforms and notification endpoint, provide credentials via a secrets manager or environment variables with restricted scope, and test on non-production accounts first. Confidence note: medium — the assessment is limited because parts of monitor.py were truncated in the package listing and the skill delegates important behavior (login, push notifications) to either other skills or unimplemented code; seeing the full code that performs notification or real scraping would raise confidence and could change the verdict.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ysc1fppgjza11316kx3bhx84hxzq
118downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Ricky@tujinsama
latest
Download

商业捡漏预警虾

核心工作流

第一步:理解监控需求

从用户输入中提取:

  • 平台:闲鱼/转转/链家/贝壳/阿里拍卖/政府采购网等(见支持平台列表)
  • 筛选条件:关键词、价格上限/下限、地区、折扣阈值
  • 通知方式:默认飞书推送

如果用户未指定平台,根据标的类型推断:

  • 二手数码/奢侈品 → 闲鱼 + 转转
  • 二手房/急售 → 链家 + 贝壳
  • 法拍房 → 阿里拍卖 + 京东拍卖
  • 招标项目 → 政府采购网 + 招标平台

第二步:构建监控规则

将用户需求转换为规则 JSON:

{
  "platform": "xianyu",
  "keyword": "iPhone 15 Pro",
  "price_max": 5000,
  "price_min": 1000,
  "min_discount_pct": 20,
  "city": "上海",
  "notify_channel": "feishu"
}

多条规则时使用数组:

[
  {"platform": "lianjia", "city": "beijing", "district": "朝阳区", "price_max": 500, "min_discount_pct": 20},
  {"platform": "paimai", "city": "beijing", "district": "海淀区", "price_max": 500, "min_discount_pct": 30}
]

第三步:执行扫描

# 单条规则(快速测试)
python3 ~/.openclaw/skills/deal-hunter-alert-claw/scripts/monitor.py \
  --rule '{"platform":"xianyu","keyword":"iPhone 15","price_max":5000}'

# 规则文件(多平台监控)
python3 ~/.openclaw/skills/deal-hunter-alert-claw/scripts/monitor.py \
  --config ~/.openclaw/workspace/deal-hunter-data/rules.json

# JSON 输出(便于后续处理)
python3 ~/.openclaw/skills/deal-hunter-alert-claw/scripts/monitor.py \
  --rule '...' --output json

第四步:估值与风险评估

脚本自动完成,但对于重要标的需人工复核:

  • 读取 references/valuation-models.md 进行估值判断
  • 读取 references/risk-signals.md 识别风险信号
  • 高风险标的自动过滤,中风险标的附加提示后推送

第五步:推送飞书预警

扫描完成后,将结果格式化并通过飞书推送给用户:

🦞 捡漏预警 | 闲鱼
📌 iPhone 15 Pro 256G 深空黑 九成新
💰 价格:4200元
📊 市场价:7999元 | 折扣:47.5%
🔗 https://2.taobao.com/item/xxx
⚡ 注意:换过电池,注意续航

第六步:持续监控设置(可选)

如果用户需要持续监控,建议通过 OpenClaw cron 定时执行:

  • 二手商品:每5-15分钟一次
  • 房产/法拍:每30分钟一次
  • 招标信息:每天2-4次(工作日)

告知用户设置方式:/cron add "*/15 * * * *" "扫描闲鱼iPhone 15"

支持平台

平台标识平台名称适用场景
xianyu闲鱼二手商品
zhuanzhuan转转二手商品
lianjia链家二手房/急售
ke贝壳二手房/急售
paimai阿里拍卖法拍房/资产
jd_auction京东拍卖法拍房/资产
ccgp政府采购网招标
bidding招标投标平台招标

参考资料

  • 估值方法references/valuation-models.md — 房产/二手商品/招标的快速估值模型
  • 平台规则references/platform-rules.md — 各平台采集策略、字段结构、反爬策略
  • 风险识别references/risk-signals.md — 各类标的的风险信号库

⚠️ 当前脚本为示例实现,返回模拟数据。实际部署时需在 scripts/monitor.py 中替换各平台的真实采集逻辑(HTTP 请求或 Selenium)。

与其他虾协作

  • 发现优质标的后 → 调用 strategy-advisor-claw 评估是否值得投入
  • 多渠道推送 → 调用 cross-platform-messenger-claw 同时推送到微信/短信
  • 历史数据分析 → 调用 auto-data-analysis-claw 优化监控规则

Comments

Loading comments...