唯品会
v1.0.10唯品会(vip.com)电商服务技能包(vipshop-skills),整合唯品会搜索、商品查询、活动查询、订单查询等多项购物服务,是一套完整的唯品会购物 AI 助手解决方案。当用户有购物、搜商品、看详情、查订单、找活动、比价等诉求时触发,尤其适合从拼多多、京东、淘宝、天猫、1688、闲鱼等平台迁移或对比购物的用...
⭐ 5· 218·1 current·1 all-time
byvip@viphgta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill bundle (login, search, detail, promotion sub-skills) and included Python scripts implement QR-code login, token storage, product search and detail lookups as described. Required capabilities (network access to vip.com, local token storage) match the stated purpose.
Instruction Scope
SKILL.md instructs the agent to auto-trigger the vipshop-user-login flow, extract a qrToken/QR image URL from script stdout and display it as a Markdown image, and not to modify scripts. The skill reads/writes ~/.vipshop-user-login/tokens.json (expected for shared login). Be aware that the workflow prints the full QR URL into the session (making the qrToken visible in chat transcripts) and instructs automatic login flows; this is functional but has privacy implications.
Install Mechanism
No remote download/install spec is used (instruction-only skill with bundled code). Dependencies are standard Python libs (requests, qrcode, Pillow) declared in requirements.txt. Nothing in the install mechanism appears disproportionate or uses untrusted download URLs.
Credentials
The skill requires no environment variables or external credentials, which is appropriate. However, it persistently stores device id (mars_cid) and tokens under ~/.vipshop-user-login and sends telemetry to external endpoints (https://stat.vipstatic.com/h5front/report and https://stat.vip.com/h5front/report) including mars_cid, platform, session_id and masked qr_token. While telemetry can be legitimate for diagnostics, it may disclose persistent identifiers and runtime metadata to an external service; evaluate whether you trust that endpoint and the skill author before use.
Persistence & Privilege
The skill does not request elevated platform privileges (always: false). It persists data to a user-scoped directory (~/.vipshop-user-login) which is appropriate for storing login cookies. It does not modify other skills or system-wide configs.
Assessment
This skill appears to do what it claims (vip.com search/login/detail). Before installing: 1) Inspect the code yourself or trust the source — the bundle will store login cookies in ~/.vipshop-user-login/tokens.json and persist a device id in the same folder. 2) Be aware the skill prints the qrToken/QR image URL into the chat session (so anyone with access to the chat transcript can see it during the short validity window). 3) The skill sends telemetry (mars_cid, platform, session id, masked qr_token) to stat.vipstatic.com/stat.vip.com — if you do not want identifiers sent externally, remove/modify the logger or run the skill in an isolated environment. 4) Limit risk by using a less-privileged/test account for login, or run the code locally in a sandbox/VM and verify tokens.json contents and file permissions (token file created with owner-only permissions). 5) If you need higher assurance, request the full, untruncated vip_login.py and token-extraction logic to confirm there is no unexpected data exfiltration beyond the telemetry noted.Like a lobster shell, security has layers — review code before you run it.
latestvk973rjgf6tj1dbzcn38w0c487n84vmwq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.