ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China Shopping Oracle

v1.0.4

国内全平台比价工具。Requires OpenClaw v2026.3.22+ with browser access. Compares prices on Taobao/JD/Pinduoduo using existing browser session for member pricing (88VIP/...

0· 110·0 current·0 all-time
by@tobewin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (multi-platform price comparison using an existing browser session) matches the instructions: the SKILL.md describes using OpenClaw's existing-session browser mode to inherit login state and scrape Taobao/JD/Pinduoduo. Declaring python3 as a required binary is plausible because the skill includes Python snippets for price normalization; while the skill is instruction-only and may not need a local python runtime in all deployments, this is not disproportionate.
Instruction Scope
The runtime instructions explicitly direct the agent to access the browser userDataDir and session cookies (e.g. ~/.config/google-chrome) and to extract data from logged-in e-commerce sessions. This is exactly what the description promises (member pricing, inherited sessions) but is high-risk for privacy. The instructions do not attempt to exfiltrate data to any external endpoint within the provided content.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes installation risk. Nothing is downloaded or written to disk by the skill package itself.
Credentials
The skill declares no required environment variables or config paths, yet the instructions require the OpenClaw browser tool to be configured to point at a browser userDataDir (a filesystem path containing cookies and session tokens). This is coherent for the stated purpose but important: the skill will read sensitive local browser data even though no explicit config-path requirement is recorded in registry metadata.
Persistence & Privilege
always is false and the skill does not request persistent/global privileges. Autonomous invocation is allowed (default) which is normal for skills; there is no indication it modifies other skills or system-wide settings.
Assessment
This skill does what it says — it scrapes prices using your existing browser login session to capture member-only prices. That requires reading your browser profile (cookies and session tokens), which is sensitive. Only install/use this skill if you trust it and are comfortable with that access. Recommended precautions: (1) use a separate browser profile that does not contain highly sensitive accounts, (2) confirm OpenClaw is up-to-date (v2026.3.22+) and that you understand how it accesses userDataDir, (3) test with non-critical accounts or dummy data first, and (4) if you need stronger guarantees, avoid skills that read your browser profile or limit them to manual, one-off exports rather than automated session inheritance. Note the registry metadata does not explicitly list the userDataDir/config-path requirement even though the SKILL.md uses it — treat that as an implementation detail you should verify before granting access.

Like a lobster shell, security has layers — review code before you run it.

latestvk979sesnt3fhyed7vwj92w243n83g3yr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛒 Clawdis
Binspython3

Comments