Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Deep Research V4
v1.0.0-beta.1亚马逊深度选品V4:多平台交叉验证(AMZScout+西柚找词+卖家精灵) → 1688以图搜图同款采购 → 实时汇率7项毛利计算 → WIPO IP合规审计 → HTML可视化报告。 触发词:亚马逊调研/选品/市场调研/Amazon research/毛利分析/快速调研/产品分析/竞品分析/选品报告
⭐ 0· 103·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (multi-platform Amazon research + 1688 sourcing + IP audit + HTML report) align with the sites and data the SKILL.md instructs the agent to access (AMZScout, 西柚找词, 卖家精灵, Amazon, 1688, WIPO, Google Patents). The requested actions are coherent for the stated product-research workflow.
Instruction Scope
The runtime instructions require extensive automated browser scraping of multiple third-party sites and a web_search for FX rates (expected). However, the skill explicitly instructs using the browser to extract cookies via document.cookie (for 卖家精灵) which is sensitive: document.cookie can expose other site cookies if mishandled. The SKILL.md does not constrain how cookies are collected, stored, or limited to the few named keys, nor does it instruct safe handling/expiry or require explicit user consent flows. It also requires extracting data from many external pages which could capture additional private data (e.g., session metadata) if implemented broadly.
Install Mechanism
Instruction-only skill with no install spec or packages — lowest install risk. No downloads or archive extraction are present.
Credentials
The skill declares no required env vars or credentials, which superficially lowers risk. But it asks the agent to obtain session cookies (ecookie, rank-login-user, Sprite-X-Token) from the user's browser after login. Requesting browser cookies is a form of credential access; the SKILL.md does not limit extraction to those three keys or explain secure handling, retention, or scope. This raises proportionality and privacy concerns even though the cookies are relevant to calling 卖家精灵's API.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false) and contains no instructions to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high privileges.
What to consider before installing
What to consider before installing: 1) Cookie extraction: the skill tells the agent to extract browser cookies (document.cookie) after you log into 卖家精灵 — that can expose other cookies if implemented carelessly. Only proceed if you trust the skill author and you understand how those cookies will be provided/stored and that they will be limited to the listed keys. 2) Scraping and TOS: the skill automates scraping of AMZScout, Amazon, 1688, 西柚找词 and others — this can violate those sites' terms and may trigger blocking or account action. 3) IP/legal checks: the WIPO/ patent checks are non-trivial legal tasks; a human IP lawyer review is recommended for borderline results. 4) No install reduces supply-chain risk, but the skill can still exfiltrate browser data via the instructed browser agent. 5) Recommendations: ask the publisher for source code or an implementation plan showing cookie handling and storage policies; require explicit prompts/consent before any cookie capture; restrict cookie extraction to the named keys and auto-delete them after use; run the skill on test accounts first; and verify compliance with target sites' terms. If the author cannot clearly explain cookie handling and data retention, treat the skill as risky.Like a lobster shell, security has layers — review code before you run it.
latestvk97eg67aw24ytk6cyeqkgvr5rx84hv82
License
MIT-0
Free to use, modify, and redistribute. No attribution required.