ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

购物助手

智能购物助手,提供淘宝、京东、拼多多优惠券查询、全网比价、价格保护、历史价格及降价提醒服务。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 140 · 1 current installs · 1 all-time installs
by@wuhaichao87
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (shopping coupons, price-compare, price-protect) align with needing affiliate/partner keys (ZHETAOKE, JD, TAOBAO). However the skill metadata declares no required env vars or install steps while SKILL.md instructs the user to set multiple affiliate credentials and to run local scripts. Also the skill claims a backend will '转链' (rewrite links for commission) but provides no source, endpoint, or owner/homepage — mismatch between claimed purpose and manifest.
!
Instruction Scope
SKILL.md tells the agent/user to run python scripts at ~/.openclaw/workspace/skills/shopping-assistant/scripts/*.py and to store affiliate keys in ~/.openclaw/.env. Yet the bundle contains no scripts. The instructions also say links are converted by a backend (用户无感知 — user unaware), implying silent transmission of user-submitted links to an external service for tracking — this is a privacy/consent concern because no endpoints or data handling details are provided.
!
Install Mechanism
There is no install spec and no code files, but runtime commands refer to scripts that must exist on disk. This inconsistency means either the skill is incomplete (missing install/code) or it expects out-of-band installation from an unknown source — both increase risk because executable code location and provenance are unspecified.
!
Credentials
The SKILL.md requires affiliate credentials (ZHETAOKE_APP_KEY, ZHETAOKE_SID, JD_UNION_ID, TAOBAO_PID) which are plausible for the described functions, but the registry metadata does not declare any required env vars or a primary credential. Asking users to place these sensitive credentials in ~/.openclaw/.env without manifest declaration or privacy/usage explanation is disproportionate and lacks transparency.
Persistence & Privilege
The skill does not request always:true or other elevated persistence, and there is no install spec that writes to system-wide locations. Autonomous invocation is allowed (platform default). The main concern is not persistence but the missing code and undisclosed backend behavior.
What to consider before installing
This skill has multiple red flags: the registry entry includes no code or install steps, but the instructions expect local Python scripts and ask you to supply affiliate credentials and enable invisible backend link conversion. Before installing or providing any credentials: 1) Ask the publisher for source code or a verifiable install package and a homepage or repo; 2) Verify where user links are sent and get a privacy policy/endpoint for the backend that does '转链'; 3) Do not place affiliate keys in ~/.openclaw/.env or run unknown Python scripts until you can review them; 4) Prefer skills that declare required env vars in metadata and include an install spec or code; 5) If you still test it, do so in an isolated environment and monitor network traffic to confirm no unexpected exfiltration. The current state is inconsistent and warrants caution.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk9702qfvt0t1vc7mn39dffjpfh82prj7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

购物助手 - Shopping Assistant

智能购物助手,提供查券、比价、价保等一站式购物服务。

🎯 核心功能

  • 🔍 智能查券:自动查找商品优惠券
  • 💰 全网比价:对比淘宝/京东/拼多多价格
  • 🛡️ 一键价保:自动申请价格保护
  • 📊 历史价格:查看商品价格走势

📦 支持平台

平台查券比价价保
淘宝/天猫完整支持支持
京东完整支持支持
拼多多基础支持不支持

🚀 使用方法

1. 查券

发送商品链接,自动查找优惠券:

python3 ~/.openclaw/workspace/skills/shopping-assistant/scripts/shopping_helper.py <链接>

示例:

# 淘宝链接
python3 shopping_helper.py "https://s.click.taobao.com/X3lnM4n"

# 京东链接
python3 shopping_helper.py "https://u.jd.com/NOPmtDz"

# 拼多多链接
python3 shopping_helper.py "https://mobile.yangkeduo.com/goods.html?goods_id=123456"

输出示例:

🔍 正在查找优惠券...

📦 阿宽红油面皮酸辣粉组合整箱
✅ 已找到优惠券链接

💰 原价:¥82.23
🎫 优惠券:¥40
💰 券后价:¥29.9
💡 可省:¥52.33
🏪 店铺:阿宽旗舰店
📈 销量:100

✅ 查券完成!

2. 多平台比价

python3 ~/.openclaw/workspace/skills/shopping-assistant/scripts/price_compare_simple.py <链接>

输出示例:

📊 全网比价结果
━━━━━━━━━━━━━━━━━━

🥇 拼多多:¥4999(百亿补贴)
   🏪 品牌好货
   📈 销量:10万+
   ✅ 优势:价格最低

🥈 京东:¥5199(自营)
   🏪 Apple官方旗舰店
   📈 销量:5万+
   ✅ 优势:正品保障,售后好

🥉 淘宝:¥5299(天猫)
   🏪 Apple Store
   📈 销量:3万+
   ✅ 优势:官方授权

💡 购买建议:
   拼多多百亿补贴最便宜,省¥200

🔧 配置参数

~/.openclaw/.env 中配置:

# 折淘客(必需)
export ZHETAOKE_APP_KEY=xxx
export ZHETAOKE_SID=xxx

# 京东联盟(京东功能必需)
export JD_UNION_ID=xxx

# 淘宝联盟(淘宝功能必需)
export TAOBAO_PID=mm_xxx_xxx_xxx

📋 功能说明

查券功能

  • ✅ 自动识别平台(淘宝/京东/拼多多)
  • ✅ 查找商品优惠券
  • ✅ 显示券后价格
  • ✅ 显示店铺信息和销量

比价功能

  • ✅ 对比三平台价格
  • ✅ 显示各平台优势
  • ✅ 给出购买建议

后台转链

  • 用户发送链接查券时,后台自动转链
  • 用户无感知,只显示查券结果
  • 转链后的链接用于追踪佣金

📝 版本记录

版本日期更新内容
v1.0.02026-03-11初始版本,支持查券、比价

💡 使用建议

  1. 优先使用查券功能,获取优惠券信息
  2. 结合比价功能,找到最优价格
  3. 注意优惠券时效,及时使用
  4. 价格实时变动,以实际页面为准

🔗 相关链接

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…