ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solo Ecommerce Agent

v1.0.0

自动化管理多平台电商店铺,实现选品扫描、商品上架、客服回复和订单处理全周期运营。

0· 46·0 current·0 all-time
by@hnc87

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hnc87/solo-ecommerce-agent.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Solo Ecommerce Agent" (hnc87/solo-ecommerce-agent) from ClawHub.
Skill page: https://clawhub.ai/hnc87/solo-ecommerce-agent
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install solo-ecommerce-agent

ClawHub CLI

Package manager switcher

npx clawhub@latest install solo-ecommerce-agent
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the included scripts align: the package is an ecommerce automation agent that uses browser automation or platform APIs. Metadata declares a dependency on an xbrowser/browser automation skill which is coherent for the stated purpose. However there are inconsistent data-dir expectations across files and metadata (see details), and SKILL.md/README ask the user to enable Chrome remote debugging (--remote-debugging-port=9222) but the registry metadata did not list Chrome or that setting as a required runtime precondition.
Instruction Scope
SKILL.md instructs the agent to set up cron jobs, keep browser sessions logged-in, and use browser automation (xbrowser) to operate seller backends. The included scripts are mostly local-file I/O stubs (they contain TODOs where real platform API calls or automated actions should be). There are no instructions to read unrelated system files or environment secrets, but the reliance on browser automation + preserved login sessions means the agent could perform account actions if configured — this is expected for the purpose but sensitive. SKILL.md also expects editing ~/.qclaw/solo-ecommerce-data/config.json, which is coherent, but not all scripts read the same path (see concern).
Install Mechanism
No install spec included (instruction-only with packaged scripts). This is low-risk from install-download perspective — nothing arbitrary is downloaded or extracted by the skill itself.
Credentials
The skill declares no required env vars or primary credential, yet SKILL.md and README discuss optional API keys (AppKey/AppSecret) and require browser automation and Chrome remote debugging. There is no clear guidance where API keys should be stored (env vs config file). This omission is not necessarily malicious, but it is a gap: platform credentials will be needed for API-based integration and are sensitive. The skill asks the user to maintain logged-in browser sessions (sensitive) and to open Chrome with remote debugging enabled (exposes a remote debugging interface if misconfigured).
Persistence & Privilege
The skill is not force-included (always:false) and is user-invocable. It creates and writes files under the user's home directory data directory (normal for this type of tool). It does not request to modify other skills or global agent settings. Cron tasks are user-installed per SKILL.md (the skill does not autonomously register system-wide cron jobs).
What to consider before installing
What to consider before installing: - Data directory inconsistency: SKILL.md and many scripts expect ~/.qclaw/solo-ecommerce-data, but other scripts (init_agent.py, daily_report.py) use ~/solo-ecommerce-data and metadata.json lists data_dir as "solo-ecommerce-data". This will cause duplicate/missing data files and confusion — ask the author which path is canonical and verify where config.json and logs will actually be written. - Browser automation & Chrome remote debugging: The skill expects xbrowser automation and instructs running Chrome with --remote-debugging-port=9222. That gives the automation access to logged-in web sessions; if that debugging port is exposed on the network it can be abused. Only run remote debugging on a local, firewalled host and understand the risk to your browser sessions. - Credentials handling: Platform API keys (AppKey/AppSecret) and any cookies/session tokens are sensitive. The skill does not declare required env vars or a secure credential storage method. Decide where keys will be stored (and restrict file permissions), and prefer API-based integration with scoped credentials instead of storing full account login sessions if possible. - Stubbed implementations: Many scripts are placeholders with TODOs for real API calls and automation. Review any added automation code carefully (especially any code that will execute arbitrary scripts, upload files, or interact with third-party endpoints) before enabling auto-publish/auto-ship features. - Cron and automation cadence: The SKILL.md recommends high-frequency cron tasks (every 5 minutes, hourly). Start with disabled automation and trial runs to confirm behavior; enable only modules you trust and keep 'publish'/'ship' controls set to require manual review until you confirm correctness. - If you need to proceed: run the agent in an isolated account or environment first, verify which data_dir is used, inspect config.json for how credentials are stored, and do not expose Chrome remote debugging to the network. Ask the publisher to fix the data-dir inconsistency and to document exactly how to supply and protect platform credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk971p9j16jgds4nrx0dac6eynx85jprk
46downloads
0stars
1versions
Updated 2d ago
v1.0.0
MIT-0
@hnc87
latest
Download

solo-ecommerce-agent — 全平台全自动电商运营智能体

一人运营多平台店铺,无需人工干预。 关键词:电商运营、自动上架、自动客服、自动发货、选品、订单处理

功能模块

模块说明自动化
选品扫描多平台热销榜单分析、机会品类推荐✅ 每小时自动扫描
商品上架商品信息生成、图文处理、一键发布✅ 开启后自动上架
客服回复买家咨询自动分类+回复,争议自动升级✅ 每5分钟自动处理
订单处理自动发货、物流录入、退款审核✅ 每10分钟自动处理
日报汇总每日23:00汇总运营数据发送通知✅ 每日自动推送

快速开始

第一步:配置平台

编辑 ~/.qclaw/solo-ecommerce-data/config.json,填入你的平台信息:

{
  "platform": "douyin",        // douyin | taobao | pinduoduo | jingdong
  "store_name": "你的店铺名",
  "backend_url": "http://127.0.0.1:8080",  // 平台API地址(如有)
  "automation": {
    "publish": { "enabled": true, "need_review": false },
    "customer_service": { "enabled": true, "auto_reply": true },
    "order": { "enabled": true, "auto_ship": true }
  },
  "enabled": true
}

第二步:开启定时任务

技能加载后,创建以下 cron 任务:

任务名触发时间作用
选品扫描每小时整点分析热销榜单,推荐机会品类
客服回复每5分钟自动处理买家消息
订单处理每10分钟自动发货+物流录入
日报汇总每天23:00推送当日运营数据

第三步:触发运营

对话触发示例:

  • 「帮我扫描今天的选品机会」
  • 「上架这款商品:[商品链接/信息]」
  • 「检查今天的订单」
  • 「生成今天运营日报」

脚本说明

脚本功能数据文件
product_scanner.py扫描热销榜单,生成推荐recommendations.json
product_publisher.py发布商品到店铺products.json
customer_service.py自动回复买家customers.json
order_processor.py处理订单+物流orders.json
daily_report.py汇总运营数据日志文件

数据目录

~/.qclaw/solo-ecommerce-data/

solo-ecommerce-data/
├── config.json           # 主配置文件(必填)
├── products.json         # 商品列表
├── orders.json           # 订单记录
├── customers.json        # 客户对话记录
├── recommendations.json  # 选品推荐
└── logs/
    └── YYYY-MM-DD.log    # 每日运行日志

平台接入说明

抖音小店

  • 使用 Chrome CDP 浏览器自动化
  • Chrome 需开启 --remote-debugging-port=9222
  • 自动化流程:登录 → 商品管理 → 上架/客服/订单

其他平台

  • 通过平台开放 API(需申请 AppKey/AppSecret)
  • 或使用浏览器自动化模拟操作
  • 具体接入方式根据平台文档配置

状态说明

  • enabled: false → 技能休眠,所有定时任务跳过
  • enabled: true → 全速运转
  • 单个模块关闭 → 仅该模块跳过,其他模块继续

最后更新:2026-04-26

Comments

Loading comments...