vipshop-product-consultant
v1.0.0通过唯品会API查询并综合分析商品信息、用户评价和尺码反馈,提供详细购买建议和口碑报告。
⭐ 0· 98·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description say it queries 唯品会 (Vipshop) product info and reviews; the included Python scripts and SKILL.md implement exactly that (calling mapi-pc.vip.com endpoints, parsing JSONP, saving and analyzing product_info.json, review_summary.json, review_list.json). Required resources (none declared) align with this purpose.
Instruction Scope
SKILL.md instructs running the three provided Python scripts and then analyzing the three JSON files; the scripts perform only HTTP(S) requests to Vipshop endpoints, parse responses, and save extracted data to files in the current directory. They do not read arbitrary system files or access environment variables. Note: the scripts write files to disk in the working directory and print request/response content on error.
Install Mechanism
No install spec (instruction-only with bundled scripts). No downloads from third-party hosts or archive extraction. Risk is limited to running the provided Python code locally (which will make network calls).
Credentials
The skill declares no required environment variables or credentials (appropriate). However, the Python scripts include hard-coded query parameters such as api_key, user_id, mars_cid and tfs_fp_token values embedded in the request parameters. These are not required from the user but are present in the code — this is odd but not necessarily malicious. They may be benign client tokens or copied sample parameters; they could be stale, tied to someone else's session, or a privacy concern if they are sensitive.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system privileges or modify other skills/config. Its persistence is limited to writing output JSON files in the working directory when run.
Assessment
This skill appears coherent: its scripts call Vipshop APIs, parse JSONP, and produce local JSON files and analysis as the README says. Before running or installing: 1) review the bundled Python files yourself or run them in an isolated environment (container or VM) because they make outbound network requests; 2) be aware the scripts save responses to product_info.json, review_summary.json, and review_list.json in the current directory; 3) the code contains hard-coded api_key/user_id/tokens—these might be sample credentials or tied to another account; they are not requested from you but could stop working or be undesirable to include in production; consider removing or replacing them with your own approved credentials if needed; 4) confirm you are comfortable with the tool making requests to mapi-pc.vip.com (check Vipshop's terms and rate limits) and do not supply any unrelated secrets to the skill. Overall the package is internally consistent and not showing signs of intentional misdirection.Like a lobster shell, security has layers — review code before you run it.
latestvk9711tmkbq43b6a6j7jybafby183m5ty
License
MIT-0
Free to use, modify, and redistribute. No attribution required.