Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI电商团队部署方案
v1.0.0提供基于5个开源工具的一站式AI电商团队自动化部署方案,涵盖选品、产品图、后端、自动化和客服。
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (one-stop AI e‑commerce deployment using changedetection.io, PicPilot, Medusa, n8n, Chatwoot) matches the SKILL.md content: a high-level deployment/consulting guide. However SKILL.md lists deliverable files (deployment-plan.md, client-proposal.md) that are not present in the package manifest, which is an inconsistency but could be just missing artifacts.
Instruction Scope
SKILL.md contains only high-level usage and integration references; it does not instruct the agent to run shell commands, read system files, or exfiltrate data. It does reference integrations (OpenClaw Cron, feishu-doc, n8n skill) but provides no concrete steps or credential-handling instructions—so runtime behavior is underspecified rather than overtly dangerous.
Install Mechanism
Instruction-only skill with no install spec and no code files that require downloading or extracting. Low install surface — nothing is written to disk by the skill itself.
Credentials
The SKILL.md mentions integrations (Feishu doc generation, n8n, OpenClaw Cron) and deployment of services (Medusa, Chatwoot) that in practice require API keys, webhooks, database/cloud credentials, or hosting access. The skill declares no required env vars/config paths. This mismatch (integration claims vs zero declared credentials) is a proportionality concern: if the skill later asks for tokens/keys, that would be expected, but the package should at least document which credentials it will need.
Persistence & Privilege
'always' is false and the skill is user-invocable; it does not request persistent/automatic inclusion. Autonomous model invocation is allowed by default, which is normal. The skill does not declare writing to other skills' configs.
What to consider before installing
This is a high-level, instruction-only deployment guide (no installers or code). It looks coherent for consultancy/document generation, but it references integrations and deliverables that would normally require credentials or extra files which are not included or documented. Before installing or granting access: 1) ask the skill author for the missing files (deployment-plan.md, client-proposal.md) and concrete examples; 2) ask which exact API keys/credentials (Feishu, n8n, Chatwoot, hosting, DB) the skill will request and why; 3) refuse to provide broad secrets all at once—provide least-privilege/test accounts if you must; 4) prefer to run any suggested deployment commands manually or in an isolated test environment; 5) if the skill later tries to perform integrations automatically, require explicit prompts and review of endpoints it will call. If you want a safer approval, request a more detailed SKILL.md that lists required env vars, integration endpoints, and sample deployment steps.Like a lobster shell, security has layers — review code before you run it.
ecommercevk974zqwfd7zrjsqmzhbxqv9pd9846fmelatestvk974zqwfd7zrjsqmzhbxqv9pd9846fme
License
MIT-0
Free to use, modify, and redistribute. No attribution required.