by 安全扫描
OpenClaw
安全
high confidenceThe skill's behavior and requirements are internally consistent with a price-comparison tool that inherits a browser session, but it explicitly reads your browser profile/cookies which is a significant privacy risk you should accept knowingly.
评估建议
This skill does what it says — it scrapes prices using your existing browser login session to capture member-only prices. That requires reading your browser profile (cookies and session tokens), which is sensitive. Only install/use this skill if you trust it and are comfortable with that access. Recommended precautions: (1) use a separate browser profile that does not contain highly sensitive accounts, (2) confirm OpenClaw is up-to-date (v2026.3.22+) and that you understand how it accesses userD...详细分析 ▾
✓ 用途与能力
Name/description (multi-platform price comparison using an existing browser session) matches the instructions: the SKILL.md describes using OpenClaw's existing-session browser mode to inherit login state and scrape Taobao/JD/Pinduoduo. Declaring python3 as a required binary is plausible because the skill includes Python snippets for price normalization; while the skill is instruction-only and may not need a local python runtime in all deployments, this is not disproportionate.
ℹ 指令范围
The runtime instructions explicitly direct the agent to access the browser userDataDir and session cookies (e.g. ~/.config/google-chrome) and to extract data from logged-in e-commerce sessions. This is exactly what the description promises (member pricing, inherited sessions) but is high-risk for privacy. The instructions do not attempt to exfiltrate data to any external endpoint within the provided content.
✓ 安装机制
No install spec and no code files — the skill is instruction-only, which minimizes installation risk. Nothing is downloaded or written to disk by the skill package itself.
ℹ 凭证需求
The skill declares no required environment variables or config paths, yet the instructions require the OpenClaw browser tool to be configured to point at a browser userDataDir (a filesystem path containing cookies and session tokens). This is coherent for the stated purpose but important: the skill will read sensitive local browser data even though no explicit config-path requirement is recorded in registry metadata.
✓ 持久化与权限
always is false and the skill does not request persistent/global privileges. Autonomous invocation is allowed (default) which is normal for skills; there is no indication it modifies other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.42026/3/24
修复元数据:移除node依赖,添加minVersion和needsBrowser声明
● 可疑
安装命令
点击复制官方npx clawhub@latest install china-shopping-oracle
镜像加速npx clawhub@latest install china-shopping-oracle --registry https://cn.longxiaskill.com