v2.0.0

Alibaba Sourcing

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:28 AM.

Analysis

The skill is mostly a straightforward Alibaba sourcing helper, but it tells the agent to send RFQ inquiries and includes an Alibaba purchase-list/cart URL without clear confirmation or account-scope limits.

GuidanceReview this skill before installing if you plan to use it while logged in to Alibaba. Product and supplier browsing are coherent with the skill purpose, but require the agent to ask for confirmation before submitting RFQs, sending supplier messages, or opening cart/purchase-list pages.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

### Supplier Research

1. Search for products in category
2. Identify potential suppliers from results
3. Visit supplier profiles
4. Review credentials (years in business, certifications, ratings)
5. Send inquiry via RFQ

Sending an RFQ inquiry is an external business/account action, but the workflow presents it as a normal step without requiring explicit user confirmation, preview, or scope limits.

User impactThe agent could submit a supplier inquiry or quotation request before the user has reviewed the message or confirmed the business action.

RecommendationRequire explicit user approval before submitting any RFQ or inquiry, and show the exact recipient, message, product details, and account being used.

Human-Agent Trust Exploitation

SeverityInfoConfidenceHighStatusNote

SKILL.md

All URLs MUST include: `traffic_type=ags_llm`

The tracking parameter is clearly disclosed and aligned with the skill description, but it means Alibaba requests are explicitly attributed as LLM-related traffic.

User impactAlibaba may receive analytics/attribution information whenever the skill builds or opens these URLs.

RecommendationInstall only if you are comfortable with Alibaba links including the disclosed tracking parameter.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none

The registry metadata does not provide a verified source or homepage, limiting provenance review even though the included files are small and the static scan is clean.

User impactUsers have less information to verify who maintains the skill or where the published artifact came from.

RecommendationVerify the publisher and repository before installing, especially if you will use the skill with a logged-in Alibaba account.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

### Shopping Cart / Purchase List

```
https://carp.alibaba.com/purchaseList?traffic_type=ags_llm
```

The skill includes a direct Alibaba purchase-list/cart URL, which is account-specific and can expose or affect procurement-related account data, but the artifacts do not define when it should be used or what account boundaries apply.

User impactIf used in a logged-in Alibaba session, the agent may access purchase-list or cart information that the user did not intend to expose or modify.

RecommendationLimit account-specific pages to user-requested actions only, require confirmation before accessing cart or purchase-list pages, and document what account data may be visible.