Taobao Image Search
v1.1.3使用淘宝进行以图搜同款、候选比对和加购物车操作。用户提供商品图片并要求“搜同款/找类似款/比价/加入购物车”时使用。优先执行本地脚本(run-taobao-task.js)完成全流程;当脚本失败或页面结构变化时回退 browser 工具手动执行。
⭐ 4· 1.4k·4 current·4 all-time
byXR Gunner@lazygunner
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts: run-taobao-task.js orchestrates image upload, search, candidate selection, and add-to-cart; auto-login-taobao.js handles interactive login and saves browser storage state. There are no unrelated credentials, binaries, or cloud APIs requested.
Instruction Scope
SKILL.md instructs running the local Playwright scripts and falling back to a browser tool; runtime actions are limited to reading a provided local image, driving the Taobao site, and writing verification artifacts. The skill explicitly documents that it saves session cookies/storage to verification-artifacts/taobao-storage-state.json and .pw-user-data-taobao/. No instructions reference reading unrelated host files or sending data to external endpoints other than Taobao.
Install Mechanism
No opaque download/install spec in the registry; SKILL.md asks to install Playwright (npm and npx playwright install chromium). This is a standard, expected dependency for browser automation and matches the code use.
Credentials
The skill requests no environment variables or external credentials. It does persist browser session tokens and user-data locally (cookies/storageState) to implement automatic login — this is functionally necessary but creates sensitive artifacts that the SKILL.md correctly warns about.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. It writes its own artifacts and user-data under the skill directory (verification-artifacts and .pw-user-data-taobao) but does not modify other skills or system-wide configs.
Assessment
This skill appears to do what it says: automate Taobao image search and add-to-cart using Playwright. Before installing/running: (1) Only run on a trusted machine or sandbox because the scripts will save your Taobao login cookies to verification-artifacts/taobao-storage-state.json and .pw-user-data-taobao/ — treat those files like passwords and never upload/share them. (2) If you want no persistence, delete those files after each run or avoid the auto-login path. (3) Review the included scripts yourself (they are present and human-readable) and ensure you are comfortable with local file writes. (4) Install Playwright from the official source (npm) as instructed. If you need a higher assurance review, provide the full (untruncated) verify-taobao-runner.js to inspect any remaining code paths for network calls or unexpected behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97ecgscww25m3k72p1d2dk7k9848ah3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.