ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

服务分发购物SKILL

v1.0.0

用户在场/不在场购买skill

1· 67·0 current·0 all-time
byas@pingjiang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for pingjiang/seap-shopping.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "服务分发购物SKILL" (pingjiang/seap-shopping) from ClawHub.
Skill page: https://clawhub.ai/pingjiang/seap-shopping
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install seap-shopping

ClawHub CLI

Package manager switcher

npx clawhub@latest install seap-shopping
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and README describe real-world shopping: cloud authCode/secretToken, payment (aipay), and OpenClaw cron scheduling. The included scripts implement only local mock search/purchase logic (mockGoodsData, mockBuyResponse) and do not call any external APIs, do not read seap.config.json, and do not integrate with a cron service or payment gateway. The declared purpose (real purchases) does not match the actual capability (demo/mock local behavior).
!
Instruction Scope
The runtime instructions tell the agent to run node commands, read/write `${sessionId}.json` and `${sessionId}_state.json`, use a secretToken for deferred payments, and create cron tasks. The CLI writes sessionId.json results but does not implement cron creation or payment token usage. The SKILL.md also inconsistently references command names (e.g., 'node scripts seap-cli' vs the actual file seap-cli.js) and describes state files that are not fully managed by the code. Instructions thus promise actions (networked payments, scheduling) that the code does not perform.
Install Mechanism
No install spec is provided (instruction-only + included JS file). Nothing is downloaded or extracted from external URLs; risk from install mechanism is low. The skill does write/read files in the skill working directory at runtime (session JSON files).
Credentials
No environment variables or external credentials are required by the package metadata. However, SKILL.md and seap.config.json instruct the user to store sensitive values (authCode, secretToken, address) in a local seap.config.json file. Those tokens are not used by the included CLI, which is inconsistent — storing payment tokens in plaintext config files is a potential security risk and should be avoided unless you verify the code and storage protections.
Persistence & Privilege
always is false; the skill is user-invocable and may be invoked autonomously (platform default). The skill writes per-session files (e.g., `${sessionId}.json`) in the skill directory at runtime but does not modify other skills or system-wide settings. No elevated persistence requests are present.
What to consider before installing
This skill reads and writes local session files and documents a workflow that would require payment tokens, cron scheduling, and cloud APIs — yet the shipped JS is a local mock that does not perform networked payments or scheduling. Before installing or supplying any real payment credentials: (1) treat this as a demo/placebo implementation until the author provides real API integrations; (2) do not store real payment tokens in seap.config.json in plaintext; (3) review/modify the scripts to implement secure API calls, encrypted credential storage, and proper cron integration or run it in an isolated/test environment; (4) if you expect automatic scheduled purchases, require the author to demonstrate secure handling of tokens, network endpoints, and error handling. If you cannot verify those, avoid providing real secrets or using the skill for real purchases.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b9cwb542bs9jxs6vyqf74rx844anh
67downloads
1stars
1versions
Updated 3w ago
v1.0.0
MIT-0
as@pingjiang
latest
Download

SEAP Shopping Skill

这是一个用于处理购物需求的 skill,支持用户在场购买和不在场预约购买两种场景。

触发条件

当用户对话中包含"买"字时,自动触发此 skill。

配置文件

配置文件位于 seap.config.json,包含以下配置项:

{
  "authCode": "your_auth_code_here",
  "secretToken": "your_secret_token_here",
  "address": "your_delivery_address_here"
}
  • authCode: 用于调用云侧接口传输的凭证
  • secretToken: 当用户为不在场购买时,需要将支付token存储,用于后续支付时传入
  • address: 用户购买后的收货地址

依赖工具

依赖 scripts/seap-cli.js 执行相关命令。

工作流程

场景一:用户在场购买

  1. 用户发送对话,例如"我想买一瓶红酒"
  2. 提取用户意图关键词原文为"queryGoodsIntention"
  3. 执行命令: 
    node scripts seap-cli search --sessionId=${openclaw当前sessionId} --intent=${queryGoodsIntention} --format md
  4. 将查询后的 markdown 通过对话信息返回商品数据并按顺序标号,供用户进行选择
  5. 用户对话确认指定序号商品后,读取 ${openclaw当前sessionId}.json 文件对应序号的商品,获取商品 "skuId"
  6. 若获取到 skuId 则执行以下命令进行购买,否则返回商品不存在提示用户重新选择: 
    node scripts seap-cli aipay --sessionId=${openclaw当前sessionId} --skuId=${skuId}
  7. 将购买后的结果信息返回给用户进行提示,根据 success 区分"购买成功"或"购买失败"

场景二:用户不在场购买

  1. 用户发送对话,例如"三十分钟后帮我买一瓶红酒"
  2. 提取用户意图关键词原文为"queryGoodsIntention",以及定时任务 cron
  3. 执行命令: 
    node scripts seap-cli search --sessionId=${openclaw当前sessionId} --intent=${queryGoodsIntention} --format md
  4. 将查询后的 markdown 通过对话信息返回商品数据并按顺序标号,供用户进行选择
  5. 用户对话确认指定序号商品后,读取 ${openclaw当前sessionId}.json 文件对应序号的商品,获取商品 "skuId"
  6. 若获取到 skuId 后根据 cron 创建定时任务并提醒用户"已创建预约购买任务",否则返回商品不存在提示用户重新选择
  7. 待定时任务启动完成后,则执行以下命令进行购买: 
    node scripts seap-cli aipay --sessionId=${openclaw当前sessionId} --skuId=${skuId}
  8. 将购买后的结果信息返回给用户进行提示"预约购买任务已完成",根据 success 区分"购买成功"或"购买失败"

实现说明

意图识别

当检测到"买"字时,skill 需要分析用户意图:

  • 在场购买:用户直接表达购买意图,如"我想买..."
  • 不在场购买:用户表达定时购买意图,如"三十分钟后帮我买..."、"明天上午买..."

商品选择流程

  1. 调用 search 接口获取商品列表
  2. 将商品列表格式化为带序号的 markdown
  3. 等待用户选择序号
  4. 从 json 文件中读取对应的商品信息

定时任务创建

对于不在场购买,需要:

  1. 解析时间表达式(如"三十分钟后"、"明天上午")
  2. 转换为 cron 表达式
  3. 使用 OpenClaw 的 cron 工具创建定时任务
  4. 在定时任务中执行购买操作

购买执行

  1. 调用 aipay 接口执行购买
  2. 解析返回结果
  3. 根据 success 字段判断购买是否成功
  4. 向用户反馈购买结果

状态管理

Skill 需要维护以下状态:

  • 当前会话的 sessionId
  • 用户选择的商品序号
  • 购买模式(在场/不在场)
  • 定时任务 ID(如果是预约购买)

状态可以存储在临时文件中,文件名为 ${sessionId}_state.json

Comments

Loading comments...