Alibaba Sourcing
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly builds Alibaba sourcing links, but it also tells the agent to submit RFQs and access account purchase-list/cart pages without clear confirmation or account-scope limits.
This appears usable for public Alibaba product and supplier searches, but be cautious with logged-in Alibaba sessions. Do not let it submit RFQs, send inquiries, or open purchase-list/cart pages unless you have reviewed the exact action and approved it. Also note that all generated Alibaba links include the disclosed traffic_type=ags_llm tracking parameter.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following the workflow could send sourcing inquiries or RFQs to Alibaba suppliers under the user's context before the user has reviewed the exact message or business details.
Submitting an RFQ or inquiry is a third-party business communication. The artifact does not tell the agent to stop for explicit user confirmation, review the recipient/content, or limit what information is sent before submission.
### Supplier Research ... 5. Send inquiry via RFQ
Require the agent to draft RFQs only, show the recipient and full content to the user, and get explicit confirmation before clicking any submit/send button.
If used in an authenticated browser, the agent could view private sourcing, cart, or purchase-list information and potentially act within the user's Alibaba account.
A purchase-list/cart page is likely account-specific and may be accessible through a logged-in browser session. The skill does not declare or bound use of Alibaba account/session access.
### Shopping Cart / Purchase List https://carp.alibaba.com/purchaseList?traffic_type=ags_llm
Limit the skill to public Alibaba search/product/supplier pages by default, and require explicit user permission before opening account-specific pages or using a logged-in session.
The skill's origin is less transparent than a package with a verified source link, so users have less provenance information.
The registry metadata does not provide a canonical source or homepage, although the included files are small and there is no automatic install mechanism.
Source: unknown Homepage: none
Review the included files before use and prefer a version with a verified source/homepage if provenance matters for your workflow.