Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Price Import
v1.0.0价易通价格导入技能。支持图片/文本/Excel 原始数据,自动转换、匹配商品库、确认后导入。
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to import prices and match against a product library (reasonable), but its SKILL.md expects to call a set of /api endpoints and to store rules at ~/.openclaw/workspace/price-import/matching-rules.json. The package metadata declares no required config paths, hosts, or credentials despite needing an API backend — this is inconsistent and unexplained.
Instruction Scope
Runtime instructions direct the agent to: 1) use a multimodal model for OCR, 2) call GET/POST /api/* endpoints to fetch products, create products, batch-import prices, upload attachments, and 3) read/write the user's home workspace JSON rules file. The doc also contains an explicit external link (http://47.96.183.13/...) shown as a verification/detail page. These actions involve transmitting user data and writing local files but the SKILL.md does not specify the API host, authentication method, or data retention/privacy behavior.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is automatically downloaded or written during install. This lowers risk from arbitrary third-party code distribution.
Credentials
The skill requires network access to unspecified /api endpoints and to upload attachments, yet the registry entry lists no required env vars or primary credentials. A price-import workflow normally needs an API base URL and authentication token/credentials; their absence from metadata is a mismatch and may hide where or how credentials are supplied. The presence of a raw IP link increases concern about data being sent to an external third party.
Persistence & Privilege
The skill will persist matching rules under ~/.openclaw/workspace/price-import/matching-rules.json (per SKILL.md). It does not request always:true nor claim system-wide config changes. Writing a file under the agent workspace is plausible for this feature, but the metadata did not declare this config path, so the write behavior is undocumented.
What to consider before installing
Don't enable this skill yet. Ask the developer: (1) what is the API base URL(s) the skill will call, and who operates that server; (2) what authentication/credentials are required and how they are stored; (3) whether any data (including original images/Excel) will be transmitted to external hosts (confirm the purpose of http://47.96.183.13); (4) confirm the exact files the skill will write under ~/.openclaw and retention policy. If you must test, do so in an isolated environment with dummy data and network logging, and require explicit, documented credentials/hosts before allowing real data to be uploaded.Like a lobster shell, security has layers — review code before you run it.
latestvk97ad9najzz4s0300rrst2ehsd83s942
License
MIT-0
Free to use, modify, and redistribute. No attribution required.