ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test-publish

v1.0.2

自动将商品从跨睿优质货盘铺货到Ozon电商平台。

0· 80·0 current·0 all-time
by@famechyu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for famechyu/test-publish.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "test-publish" (famechyu/test-publish) from ClawHub.
Skill page: https://clawhub.ai/famechyu/test-publish
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install test-publish

ClawHub CLI

Package manager switcher

npx clawhub@latest install test-publish
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to publish products to the Ozon platform, but the included script navigates to a raw IP (http://139.9.192.16:9089/) rather than Ozon's API or web domain. The SKILL.md does not declare required runtime dependencies (the script uses Playwright), and the script contains hard-coded login credentials (test/123456). These inconsistencies indicate the implementation does not match the stated purpose and raise questions about the actual target and expectations.
!
Instruction Scope
SKILL.md instructs the agent to call scripts/auto_distribute.py when parameters are present but does not instruct installation of Playwright or browser binaries required by that script. The runtime instructions do not disclose the target host used by the script. The script will perform network actions (visit an IP, log in, click buttons) but SKILL.md does not document those external endpoints or required credentials.
!
Install Mechanism
No install spec is provided even though the script requires Playwright and browser runtimes (and possibly OS-level browser dependencies). That omission means the skill will fail or behave unexpectedly unless the environment already has Playwright and compatible browsers installed. There is no download/install URL or package declaration to justify the missing dependency.
!
Credentials
The skill declares no required environment variables, but the code embeds hard-coded credentials (username 'test', password '123456') and connects to an IP address. Requiring no declared secrets while using fixed credentials is inconsistent — the author should explain whether credentials are placeholders and whether any environment variables (API keys, login creds) are needed. Network access to a raw IP without documentation is also disproportionate to the stated high-level purpose.
Persistence & Privilege
The skill does not request always:true, does not declare persistent config paths, and does not modify other skills. Autonomous invocation is permitted by default but not combined with other privilege escalations here.
What to consider before installing
Do not install or run this skill in a production environment until the author clarifies and fixes several issues: (1) Confirm the real target — the code visits http://139.9.192.16:9089/ (an IP) instead of Ozon's domain; explain why. (2) Declare and remove hard-coded credentials or replace them with required environment variables and document how to obtain credentials. (3) Add an install spec or clearly document the requirement to have Playwright and browser runtimes installed; otherwise the script won't run. (4) Fix small bugs / mismatches (script prints a different screenshot filename than it saves). (5) If you must run it for testing, do so in an isolated environment (sandbox/VM) and use test accounts; inspect network traffic to ensure no unexpected exfiltration. Ask the publisher for a corrected SKILL.md that documents endpoints, dependencies, and credential handling before trusting this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ynvh3n53689k96cw1gf011841p54
80downloads
0stars
2versions
Updated 3w ago
v1.0.2
MIT-0
@famechyu
latest
Download

自动铺货技能

技能描述

本技能用于将商品从跨睿优质商品货盘自动铺货到Ozon电商平台。适用于需要快速将商品在Ozon平台同步上架的场景。该Skill采用浏览器驱动策略,直接操作跨睿自动铺货智能体界面完成工作。

触发词:自动铺货、批量铺货、Ozon铺货、商品同步到Ozon、商品上架到Ozon。

什么时候使用

用户需要将商品自动铺货到Ozon电商平台

工作流程

  1. 根据用户发话内容,解析出铺货品类、店铺、价格区间。
  2. 如果品类、店铺、价格区间3个参数齐全,调用scripts/auto_distribute.py脚本,开始铺货逻辑
  3. 如果品类、店铺、价格区间3个参数不齐全,则重新进行参数解析。如果最后实在无法解析出完整参数,则输出数据不全的提问,让用户进行补充。此时不需要调用scripts/auto_distribute.py脚本

强制限制

  1. 不需要自己编程,如果发现已有脚本完成不了任务,直接作为任务失败返回失败结果即可
  2. 当识别到用户要铺货时,必须重新识别和收集用户的铺货参数:品类、店铺、价格区间。不允许使用上下文中之前的铺货参数进行铺货,除非用户明确说明,比如用户说: 和上一次品类相同。

输出要求

  1. 最终输出任务执行结果

Comments

Loading comments...