Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (一键配置电商直播环境) align with the runtime steps: it checks account status, asks for PolyV AppID/AppSecret if needed, configures the account, and runs 'npx polyv-live-cli@latest setup e-commerce' to create channels, products, and coupons. The requested actions are appropriate for the claimed purpose.
Instruction Scope
SKILL.md only instructs running polyv-live-cli commands via npx and prompting the user for PolyV AppID/AppSecret; it does not instruct reading unrelated files, accessing unrelated environment variables, or sending data to unexpected endpoints. The instructions are narrowly scoped to PolyV account configuration and e‑commerce setup.
Install Mechanism
There is no install spec in the skill; it uses npx polyv-live-cli@latest at runtime. npx will fetch and execute code from the npm registry (latest tag) on demand — this is expected for a CLI but is a supply‑chain risk because the exact code executed depends on whatever the registry serves at runtime (no pinned version or integrity check).
Credentials
The skill does not declare or require unrelated environment variables or config paths. It asks the user to provide their PolyV AppID/AppSecret only as needed, which is proportionate for configuring a PolyV account. There are no additional unexplained credentials requested.
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not attempt to modify other skills or system-wide settings in the instructions. It does not request persistent privileges beyond running the CLI commands when invoked.
Assessment
This skill appears to do what it says: run the PolyV CLI to create channels, products, and coupons and prompt you for your PolyV AppID/AppSecret. Before using it: 1) Verify the npm package (polyv-live-cli) — inspect its npm page and source repository and prefer a pinned version rather than @latest if possible; 2) Use a limited/test PolyV account or rotate credentials after testing; 3) Run the npx commands yourself in a controlled environment (or review what they will do) rather than pasting secrets into an untrusted session; 4) If you need stronger assurance, request the skill author to add a pinned package version and an integrity check or provide the CLI source for review.Like a lobster shell, security has layers — review code before you run it.
latestvk9706pjfbsvxf55k3jent7136x83z8k9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.