淘宝/京东/拼多多/全网商品检索比价
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its price-comparison purpose, but its purchase-link generator uses a third-party service with embedded identifiers and an invite/share code that is not clearly disclosed.
Install only if you are comfortable with searches and link generation going through maishou88.com. Treat returned links as potentially share/referral-attributed, verify prices and sellers before buying, and avoid sensitive shopping searches unless the skill adds clearer privacy and referral disclosures.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Clicking or buying through returned links may be attributed to an embedded invite/share identifier rather than being a neutral direct link.
The link command creates target/share URLs using a default invite code. SKILL.md presents these simply as purchase links, so any referral, attribution, or share-link behavior is not clearly disclosed to the user.
url = 'https://msapi.maishou88.com/api/v1/share/getTargetUrl' ... inviteCode = os.environ.get("INVITE_CODE", "46608499") ... "isShare": "1"Prominently disclose the invite/share-link behavior, label any affiliate or referral links, and let users opt out or provide their own code.
Requests may be associated with a shared embedded service identity whose account context and permissions are opaque to the user.
The script sends a built-in openid service identifier when the user has not configured one, even though the registry declares no required credentials.
openid = os.environ.get("OPENID", "dfe8842aaec8323c02dd534328b262c5") ... 'openid': openidDocument the identifier model clearly, declare optional OPENID/INVITE_CODE configuration, and avoid hidden shared identities where possible.
The third-party service can see the products the user searches for and the items selected for link generation.
User search terms and platform selections are sent to an external provider API. This is purpose-aligned, but it is an external data boundary.
url = 'https://appapi.maishou88.com/api/v1/homepage/searchList' ... data = { ... 'keyword': keyword, ... 'sourceType': str(source_type) }Add a clear privacy notice for maishou88.com API use and avoid sending sensitive shopping queries unless the user is comfortable with that.
The script can make network requests and return purchase links, but the documented workflow keeps the final link-fetching step user-directed.
The skill instructs the agent to run a local script with user-provided product terms, but it also explicitly requires waiting for user selection before fetching links.
python3 scripts/price.py search --keyword "关键字" --sourceType 0 --pages 1 --format csv ... 然后 **停止并等待用户输入**,不要自动进入下一步。
Keep the explicit user-selection checkpoint and use argument-safe command invocation when passing user-provided keywords.
It is harder to verify the exact package version and upstream source of the reviewed skill.
The registry metadata lacks source/homepage provenance, and the provided SKILL.md/_meta.json artifacts identify version 1.0.3 rather than 1.0.4.
Source: unknown; Homepage: none; Version: 1.0.4
Publish a clear source/homepage reference and align the registry, SKILL.md, and _meta.json version numbers.