car-search
v0.1.2作为专业二手车购车顾问,帮助用户分析购车需求、搜索聚合多个二手车平台(懂车帝、汽车之家等)并提供深度的车源参数对比及车贷测算。**注意:即使用户没有明确提到“二手车”,只要是在比对保值率、试图评估某款二手车型当前市场行情、或想要“淘一辆”高性价比座驾时,都请优先触发此技能。**
⭐ 1· 94·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the bundle contains a CLI (car-cli) and platform adapters (dongchedi, che168, guazi, youxinpai) used to aggregate and compare used‑car listings. No unrelated cloud credentials, binaries, or external services are requested. Developer docs mention Playwright for brand extraction, but the shipped adapter contains a static brand map so Playwright is not required for normal operation (not a contradiction, but a developer-only detail).
Instruction Scope
SKILL.md directs the agent to run the included car-cli commands (uv run car search/detail/compare/loan/etc.) and to return structured JSON; those commands exist in the repository. The instructions do not ask the agent to read unrelated system files or exfiltrate secrets. Note: the skill will execute local code and make outbound HTTP requests to third‑party sites (web scraping), which is expected for its purpose.
Install Mechanism
There is no install spec (instruction-only install), but the repository includes a full Python project (pyproject.toml) and expects dependencies via the 'uv' tool. That is reasonable for a bundled CLI, but installing/running it requires creating a Python environment and fetching dependencies. Developer docs mention Playwright + Chromium for some dev tasks (brand extraction) — that is a developer convenience and not necessary for normal runtime because a static brand map is included.
Credentials
The skill requests no environment variables or secrets; it reads optional debug env vars (CAR_CLI_DEBUG, CAR_CLI_TRACE_HTTP) for logging which is proportional and documented. Adapters perform unauthenticated GET/POST requests and cookie fetching required by target platforms (e.g., youxinpai session init) but do not require external API keys or unrelated credentials.
Persistence & Privilege
The skill is not set to always:true and does not request elevated platform privileges. It does not modify other skills or system-wide settings in the visible code. Autonomous invocation remains possible (platform default) but is not combined with unusual privileges.
Assessment
This skill appears to do what it says: run a local Python CLI that scrapes multiple used‑car websites, aggregates results, and helps compare listings. Before installing/using it consider: 1) it will execute local code and make outbound HTTP requests to third‑party sites (scraping) — run it in a controlled/sandboxed environment if you are cautious; 2) dependencies are installed via the 'uv' tool and Python (pyproject.toml lists required packages); ensure you trust and vet those dependencies before running uv sync; 3) the tool intentionally includes anti-detection headers, jitter, and retry logic to avoid rate limits — this is normal for scrapers but be mindful of target sites' terms of service and your IP/network policy; 4) no credentials are requested by the skill, but if you plan to extend it to use site-specific APIs, watch for any added env vars or tokens. If you want higher confidence: review the adapter source files for the specific platforms you will query (they are included), and run the CLI in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97bv5754vagyqxk40yy9ncqyn84cwq1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.