by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions largely match its claimed purpose (automating 1688.com product selection and distribution), but it relies on executing DOM-manipulating JavaScript in a logged-in browser session and uses very broad element selectors — this is coherent with the goal but poses real risk of unintended actions and the skill omits important runtime guarantees.
评估建议
This skill will run JavaScript inside the 1688 web UI and perform actions as whoever is logged in. Before using it: (1) Understand it requires a browser or automation environment that can inject/run the provided JS and you must be signed in to your 1688 account; (2) Review the JS carefully — it uses broad text-based selectors (document.querySelectorAll('*')) that can click the wrong buttons on page changes, so prefer running step-by-step rather than fully automated; (3) Test on a non-production/...详细分析 ▾
ℹ 用途与能力
The name/description (automate 1688 product search and distribution) aligns with the instructions: the SKILL.md contains step-by-step JavaScript for the 1688 AI selection and distribution workflow. It does not request unrelated credentials or binaries. However, it implicitly requires the ability to run page-context JavaScript in a browser (and an authenticated 1688 session), which is not declared explicitely in the metadata — a minor mismatch that should be documented for users.
⚠ 指令范围
The instructions direct executing DOM-manipulating JavaScript that will act with the user's authenticated 1688 session (clicking buttons, selecting shops, submitting distribution). That's expected for this feature, but the code uses extremely broad selectors (document.querySelectorAll('*') and text matching). Those heuristics can click unexpected elements or perform unintended operations if page text/structure differs or malicious UI elements exist. There is no explicit caution about running in a test account, nor clear error-handling or safeguards before destructive actions.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by the skill metadata.
ℹ 凭证需求
The skill declares no environment variables or credentials, which is proportional. However, functioning requires an authenticated 1688 web session and the ability to run/inject JS into that page (e.g., browser console, extension, or automation environment). That required runtime capability and privileged access to the user's 1688/shop account are not called out in the metadata.
✓ 持久化与权限
The skill does not request persistent or elevated platform privileges (always is false). It does not modify agent/system configs per the metadata.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/7
Initial release - Automated 1688.com AI product selection and distribution workflow
● 无害
安装命令
点击复制官方npx clawhub@latest install 1688-distributor
镜像加速npx clawhub@latest install 1688-distributor --registry https://cn.longxiaskill.com