Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (catalog/product recommendations) match the instructions: the skill explicitly sources product name/price/effect/stock from a JSON catalog and uses simple filtering/sorting and keyword-to-recommendation mapping. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
Runtime instructions require fetching a products.json from a raw GitHub URL and, on failure, reading a hard-coded local path (/Users/xizheng/.openclaw/workspace/skills/gongjian-catalog/products.json). This is coherent with the stated purpose, but forcing live fetch from an external repo each response allows the repo owner to change behavior/data at any time (integrity/trust risk). The absolute local path is user-specific and may not exist in other deployments.
Install Mechanism
No install spec or code is included — instruction-only skill. Nothing is written to disk by an installer. The only runtime action is network fetch and optional local file read.
Credentials
The skill declares no environment variables, no credentials, and no config paths beyond the single local fallback file. Requested access is proportionate to a catalog lookup; there are no unrelated tokens or secrets requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It can be invoked normally by the agent; that default autonomy is expected for skills.
Assessment
This skill appears to do what it claims, but review and control the external data source before installing: the products.json is fetched live from a third‑party GitHub raw URL (owner: foxbabby). Consider (1) inspecting the repository and the specific products.json contents, (2) pinning to a specific commit or hosting a vetted copy yourself to avoid unexpected changes, (3) being aware the skill will try to read a hard-coded local path that may not exist or may contain stale data, and (4) treating externally fetched JSON as untrusted input (check it for malicious or misleading fields). If you don’t trust the GitHub source, disable network fetch or host a vetted copy locally.Like a lobster shell, security has layers — review code before you run it.
healthlatest
共健臻选产品目录查询
⚠️ 每次回答前必须做的事
第一步:从 GitHub 实时拉取最新产品数据
import urllib.request, json
url = "https://raw.githubusercontent.com/foxbabby/gongjian-catalog/master/products.json"
try:
with urllib.request.urlopen(url, timeout=5) as f:
data = json.load(f)
products = data["products"]
except:
with open("/Users/xizheng/.openclaw/workspace/skills/gongjian-catalog/products.json") as f:
data = json.load(f)
products = data["products"]
所有产品名称、价格、功效、库存必须来自这个数据,不准编造!
查询方法
# 按分类
[p for p in products if p["category"] == "保健食品"]
# 按关键词
[p for p in products if "辅酶" in p["name"]]
# 价格排序
sorted(products, key=lambda x: x["price"])
推荐逻辑
| 需求 | 关键词 |
|---|---|
| 心脏 | 辅酶, 鱼油 |
| 睡眠 | 褪黑 |
| 免疫 | 灵芝, 接骨木莓 |
| 术后 | CaHMB, 匀浆膳 |
| 男性 | 籽蛎 |
| 美容 | 胶原 |
| 肠道 | 益生菌, 肠畅 |
| 儿童 | 儿童 |
| 减脂 | 代餐, 白芸豆, MCT |
| 送礼 | 礼盒, 套餐 |
回复格式
单品卡片:
📦 **辅酶Q10胶囊**
💰 价格:¥89
📝 功效:心脏保健,抗氧化
📊 库存:6265 件
🛒 微信搜索「共健臻选」小程序
购买渠道
唯一渠道:微信小程序搜索「共健臻选」
Comments
Loading comments...