ieasysell
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s sales-assistant purpose is plausible, but it asks for a browser login token, mutates an external Ieasysell account, and stores customer/visitor data in memory with limited scoping and control details.
Review carefully before installing. Prefer a scoped API key over a browser login token, confirm exactly what account changes the skill can make, and make sure you are comfortable with customer/visitor data being synchronized into OpenClaw memory on a recurring basis.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this token is exposed or overused, the skill or anyone with the token may be able to access and change the user’s Ieasysell account data.
The skill asks the user to copy a web login token from browser local storage, which can grant broad account access and is not the same as a scoped API key.
ieasysellToken: { ... label: "Ieasysell 登录 Token", required: true, description: "在 Ieasysell 网站登录后,从浏览器开发者工具 Application > Local Storage 中获取 token" }Use a scoped Ieasysell API key or OAuth flow instead of a browser session token, declare the credential requirement clearly in metadata, and document exactly what account permissions are needed.
A mistaken invocation or ambiguous request could change a live customer-facing sales bot or break links already embedded on a website or sent to customers.
The skill can create, reset, and update external digital-human configurations, including invalidating old public reception links, with no separate confirmation step visible in the provided code.
fetch("https://crm.ieasysell.com/client/digitalHuman/create", { method: "POST" ... forceCreateNew: true }); ... "旧链接已自动失效" ... fetch(`https://crm.ieasysell.com/client/digitalHuman/update/${digitalHumanId}`, { method: "POST" ... roleSetting: optimizedPrompt })Require explicit user confirmation before account mutations, especially resets or prompt/role updates; provide a preview of the change and a rollback path.
Customer contact details or visitor content may be stored in OpenClaw memory and reused in later sales behavior, which can create privacy and prompt-poisoning risks.
The skill persists visitor records and uses them to optimize a future reception prompt, but the visible artifacts do not define retention limits beyond the last 10 records, deletion controls, or safeguards against untrusted visitor content influencing future prompts.
await claw.updateMemory(updatedMemory); ... reception_prompt: await optimizePromptFromVisitors(claw, newRecords), last_visitors: newRecords.slice(0, 10), company: company, digitalHumanId: digitalHumanId, tenantId: tenantInfo.tenantId
Clearly disclose what visitor fields are stored, how long they are retained, how users can delete them, and how untrusted visitor text is filtered before becoming future prompt or role-setting data.
The skill may continue polling Ieasysell for visitor data after setup, depending on runtime behavior.
The skill is designed to run recurring local synchronization every few minutes. This is related to the stated real-time reporting purpose, but users should understand it is not just a one-time link generator.
syncInterval: { ... default: 5, description: "定时拉取访客记录的间隔时间(默认 5 分钟)" } ... "启动本地定时拉取(从访客管理菜单拉取数据)"Provide clear start, stop, pause, and interval controls for scheduled synchronization, and show the user when the sync loop is active.
The skill may fail to run as expected, or the actual runtime entrypoint may differ from the file reviewed here.
The declared entrypoint does not match the provided code file path, which is a packaging/provenance inconsistency even if it may simply be an error.
"main": "scripts/skill.ts" ... while the provided manifest contains "scripts/skills.ts"
Verify the published package entrypoint, ensure the reviewed file is the code that will actually execute, and fix the metadata/file-path mismatch.