by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly does what it says (POSTs a keyword + token to a product-search API) but has small inconsistencies and privacy/operational concerns you should review before use.
评估建议
This skill's behavior is coherent with its description — it POSTs {keyword} to a Codrop-like endpoint using the provided token — but there are a few things to check before using it with real credentials:
- Provenance: there is no homepage or known source; verify the author and whether the endpoint (test-codrop.cargosoon.online) is the correct/trusted service you intend to query.
- Secret handling: the script expects --token on the command line. CLI args can leak via process listings and may be ...详细分析 ▾
ℹ 用途与能力
The code and SKILL.md implement a product search against a Codrop-like API (POST to /api/shipping/Goods/ProductSearchKeywordQuery on test-codrop.cargosoon.online) which aligns with the stated purpose. However the registry metadata lists no required credentials while the SKILL.md and code clearly require an authentication token passed as --token. The skill's source/homepage are also missing, reducing provenance.
✓ 指令范围
The runtime instructions and the script are narrowly scoped: they accept a keyword and token, POST JSON to the remote API, and print the JSON response or an error. The script does not read files, environment variables, or other system state. It does log raw responses on parse failure.
✓ 安装机制
This is an instruction-only skill with a small Node.js script and no install spec; nothing is downloaded or written by an installer. That lowers install-time risk.
ℹ 凭证需求
No environment variables or platform credentials are declared in metadata, but the skill requires an auth token passed on the command line. Passing secrets via CLI can expose them in process listings and shell history; the token requirement should be declared in metadata (primaryEnv) or documented with safer usage guidance.
✓ 持久化与权限
The skill is not always-enabled and does not request any elevated persistence or modify other skills/config. It is user-invocable and can be invoked autonomously (platform default), which is expected.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/9
Initial release of codropshiping-product-search: - Enables product searches on the Codrop shipping platform with a keyword. - Requires an API authentication token. - Returns product data as JSON on success. - Includes error handling for missing parameters, invalid tokens, and server errors.
● 无害
安装命令
点击复制官方npx clawhub@latest install codropshiping-product-search
镜像加速npx clawhub@latest install codropshiping-product-search --registry https://cn.longxiaskill.com