ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

1688 To Ozon

v1.0.71

1688 商品自动采集并上传到 OZON 平台

1· 159·0 current·0 all-time
by@z4201812

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for z4201812/1688-to-ozon.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "1688 To Ozon" (z4201812/1688-to-ozon) from ClawHub.
Skill page: https://clawhub.ai/z4201812/1688-to-ozon
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, agent-browser
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install 1688-to-ozon

ClawHub CLI

Package manager switcher

npx clawhub@latest install 1688-to-ozon
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the code and workflow: the scripts crawl 1688, translate/host images, compute pricing and upload via OZON API. Requiring node and agent-browser is reasonable for a web-scraping + automation skill. However there is a small incoherence: SKILL metadata declares no required env vars, yet the code and config include many API keys (OZON, Baidu OCR, translator, ImgBB, DashScope LLM) and the code uses environment-variable overrides — the documentation doesn't clearly declare these runtime secrets as required.
!
Instruction Scope
The runtime instructions call node scripts that perform crawling, OCR, translation, image hosting and API uploads — all within the described scope. Concerning patterns: the copywriting module writes data to temp files then deliberately throws an error containing a prompt asking the agent to invoke an LLM and save results to a temp path (i.e., it offloads LLM generation to the agent via a prompt embedded in an exception). The main script also sets Feishu app ID/secret in process.env when the -l flag is used. These behaviors broaden what the agent will do at runtime (external LLM/third‑party calls, file writes in system temp/workspace) and create opportunities for sensitive data to be transmitted outside the local environment.
Install Mechanism
There is no install spec (instruction-only in SKILL.md), so nothing is downloaded or executed at install time beyond the provided code. The presence of many local JavaScript files means execution happens when the user runs the script, not during installation. That lowers install-time risk; still review the source files before running.
!
Credentials
The repository contains numerous credentials in config/config.json (OZON API key, Baidu OCR keys, DashScope LLM key, ImgBB key, translator keys, etc.) and the code hardcodes Feishu app secret values when logging is enabled. The skill does not declare these required env vars in the metadata, yet loadConfig supports overriding via env vars. Requiring multiple unrelated third‑party API keys is proportionate to the multi-service workflow, but embedding secrets in the repo and setting service credentials in-process is risky and inconsistent with the SKILL.md claim of 'required env vars: none.'
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes outputs to shared workspace directories (~/.../projects/) and temporary files (os.tmpdir), which are shared locations per the README; that can leak extracted product data between agents/users if workspaces are not isolated. The skill also prints progress messages intended to be captured by the host agent (and may attempt Feishu notifications).
What to consider before installing
What to check before installing/using this skill: - Review and rotate credentials: the repo includes cleartext API keys (config/config.json) and hardcoded Feishu app secret in the code. Treat these as sensitive — replace with your own keys or remove them and set them via environment variables before use. - Verify endpoints and accounts: the workflow uses multiple external services (Baidu OCR, Xiangji/translator, ImgBB, DashScope LLM, OZON). Confirm you control the accounts and understand billing/data-sharing policies for each. - Isolate workspace and temp files: the skill writes results into shared workspace directories and temp files. Run it in an isolated workspace or container to avoid leaking scraped product data to other agents/users on the same host. - Understand the LLM pattern: copywriting.js intentionally throws a prompt-containing error to get the agent to run an LLM and write results to disk. That means extracted product text may be included in prompts sent to whatever LLM service you use — review the prompt template and avoid sending data you don’t want transmitted. - Test in debug/mock mode first: use --debug to run with mock data and verify behavior (and that notifications are disabled) before processing real listings. - Remove or replace hardcoded notification credentials: the script sets FEISHU_APP_ID/SECRET when -l is used. If you enable logging/notifications, configure your own app credentials or disable notification features. If you are not comfortable with embedded secrets and automatic external LLM/third‑party calls, do not run this skill in production until you have removed secrets, read the source of the large scripts (especially upload.js, map.js, and copywriting.js), and tested in an isolated environment.
scripts/lib/logger.js:151
Shell command execution detected (child_process).
scripts/lib/ocr.js:47
Shell command execution detected (child_process).
scripts/lib/step1-1688.js:44
Shell command execution detected (child_process).
scripts/lib/step2-img.js:109
Shell command execution detected (child_process).
scripts/lib/step4-upload.js:56
Shell command execution detected (child_process).
!
scripts/ozon/fetch-attribute-values.js:34
File read combined with network send (possible exfiltration).
!
scripts/ozon/fetch-attributes.js:34
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛒 Clawdis
Binsnode, agent-browser
latestvk97bkwsx2bsbmj5gdafevp32h584bn6n
159downloads
1stars
1versions
Updated 3w ago
v1.0.71
MIT-0
@z4201812
latest
Download

1688-to-OZON

将 1688 商品自动采集并上传到 OZON 电商平台。

版本: v1.0.71
最后更新: 2026-04-06

快速开始

# 基本用法
node scripts/index.js "URL" -w 重量 -p 采购价

# 示例
node scripts/index.js "https://detail.1688.com/offer/xxx.html" -w 300g -p 14

参数说明

参数简写必需说明默认值
URL-1688 商品链接-
--weight-w商品重量(100g, 0.5kg)-
--purchase-price-p采购价(人民币)-
--shipping-s国内运费0
--profit-利润率(小数)0.2
--category-OZON 类目toy_set
--log-l实时进度输出(主代理捕获发送飞书)false
--debug-Debug 模式(Mock数据)false
--pause-上传前暂停确认false
--step-从第几步开始(1-4)1

执行流程

Step 1: 1688 商品抓取 → 提取主图+详情图+文案
Step 2: 图片翻译 → 中文→俄文,上传图床
Step 3: 定价计算 → 物流+佣金+利润
Step 4: OZON 上传 → API上传+库存设置

示例

# 完整参数
node scripts/index.js "URL" -w 1.6kg -p 70 --profit 0.25 -l

# 简单参数
node scripts/index.js "URL" -w 300g -p 14

# Debug 模式
node scripts/index.js "URL" -w 100g -p 30 --debug

# 暂停确认
node scripts/index.js "URL" -w 100g -p 30 --pause

配置

配置文件:config/config.jsonconfig/user.json

{
  "ozon": {
    "clientId": "your-client-id",
    "apiKey": "your-api-key"
  },
  "pricing": {
    "defaultProfit": 0.2
  }
}

版本历史

  • v1.0.71 (2026-04-06) - 按 OpenClaw 规则重新整理 SKILL.md
  • v1.0.70 (2026-04-05) - 移除标签格式修复代码
  • v1.0.69 (2026-04-05) - 修复标签和富文本上传失败

Comments

Loading comments...