唯品会用户登录
v1.0.10唯品会账号扫码登录技能。当用户说"登录唯品会"、"唯品会登录"、"扫码登录唯品会"、 "我要登录唯品会账号",或其他技能检测到未登录需要引导登录时,应立即触发此技能。 执行完整的二维码登录流程:获取二维码 → 展示给用户扫码 → 轮询确认 → 保存登录态到 ~/.vipshop-user-login/tokens...
⭐ 0· 209·0 current·0 all-time
byvip@viphgta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Vipshop QR login) match the implemented actions: HTTP calls to passport.vip.com init/getQrImage/checkStatus, QR image generation/display, polling, and saving cookies. Required resources (no env vars, no external installers) are proportionate to the stated purpose.
Instruction Scope
SKILL.md and the Python code describe only QR login steps and local storage of login state. The instructions to extract the printed QR image URL and render it as a Markdown image are consistent with the script output. There are no instructions to read unrelated system files or to send data to third-party endpoints other than the documented passport.vip.com APIs.
Install Mechanism
This is an instruction + local-code skill with no install spec. Dependencies are standard Python libs declared in requirements.txt (requests, qrcode, Pillow). No arbitrary downloads, URL shorteners, or remote install scripts are present.
Credentials
The skill writes persistent session data to the user's home directory (~/.vipshop-user-login/tokens.json and device.json) and sets directory/file permissions. This is expected for a login helper, but users should note that session cookies are stored locally and accessible to processes/users with access to that path. The skill does not request external API keys or unrelated environment variables.
Persistence & Privilege
always:false and default invocation settings are used. The skill persistently stores tokens in its own config directory only; it does not modify other skills or global agent config. No elevated platform privileges are requested.
Assessment
This skill appears to implement exactly what it claims: it contacts Vipshop's passport endpoints to get a QR image, polls status, and saves login cookies locally at ~/.vipshop-user-login/tokens.json (and device id at device.json). Before installing, consider: (1) stored session cookies grant access to your account via HTTP requests — remove the token file if you want to revoke local access; (2) review the code if you require absolute assurance (it returns raw HTTP responses and persists cookies, which is necessary for functionality); (3) confirm you trust the skill source before providing it to an agent that can run code autonomously, since the agent could use the saved cookies to act on your behalf; (4) the skill does not exfiltrate data to third parties or require extra credentials, but exercise the usual caution when installing code that stores authentication data on disk.Like a lobster shell, security has layers — review code before you run it.
latestvk970r6ze02mtghmray5z7ag5dn84xev5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.