📦 Ecommerce Product Pro — 电商选品利器
v1.0.1AI驱动的电商选品工具,专为Amazon FBA、Shopify及dropshipping卖家设计,可快速发现爆款、分析竞争、预估利润并实时跟踪趋势,助你高效决策。
0· 229·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's description promises external integrations and credentialed APIs, but the packaged files and SKILL.md are inconsistent with those claims (missing files, undeclared env usage, simulated local behavior) — ask the author for clarification before installing or supplying secrets.
评估建议
This package looks like a stub or template rather than a fully implemented connector. Before installing or providing any API keys: 1) Ask the author to explain where ECOMMERCE_API_KEY should be set and update the skill metadata to declare that env var. 2) Request evidence of the claimed integrations (which endpoints are used, network calls in code). 3) Verify the missing files referenced in SKILL.md (tasks/KNOWLEDGE.md, /cross-review, tools/README.md) or get a version that includes them. 4) Beca...详细分析 ▾
⚠ 用途与能力
The README/SKILL.md advertise real integrations (Amazon, Google Trends, Alibaba supplier finder, API access) and paid/pro features, but the shipped index.js implements only simulated/randomized local logic and does not call external APIs. The code references an ECOMMERCE_API_KEY (process.env.ECOMMERCE_API_KEY) but the skill metadata declares no required env vars or primary credential. This mismatch suggests the package is either a stub/template or incorrectly declared.
⚠ 指令范围
SKILL.md claims V2.0 behaviors such as automatic 'knowledge injection' (tasks/KNOWLEDGE.md), cross-model review endpoints (/cross-review), and tools registry files, yet those files/endpoints are not present in the bundle. SKILL.md also contains examples that pass an apiKey parameter, but there is no guidance in metadata about supplying that secret. The instructions do not directly instruct the agent to read unrelated system files, but they reference missing files and remote integrations, creating ambiguity about runtime scope.
ℹ 安装机制
No install spec is provided (instruction-only install via clawhub), which is lower risk for arbitrary downloads. However, the bundle actually includes code files (index.js, package.json) with no dependencies. That combination is not dangerous by itself but raises a question: the skill is marked as instruction-only yet ships runnable code—reviewers should be aware code will exist on disk if installed.
⚠ 凭证需求
The package uses process.env.ECOMMERCE_API_KEY in code but the registry metadata and SKILL.md do not declare any required environment variables or a primary credential. Requesting an API key would be reasonable for external integrations, but the omission of declared env vars is an incoherence that could lead users to supply secrets without explicit justification. There are no other credentials requested, and the code otherwise runs locally without network calls.
✓ 持久化与权限
The skill is not set to always:true and does not request special system config paths or attempt to modify other skills. It appears to be a normal, user-invocable skill with no elevated persistence privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/21
Added Pro Version CTA for custom services
● 可疑
安装命令
点击复制官方npx clawhub@latest install ecommerce-product-pro
镜像加速npx clawhub@latest install ecommerce-product-pro --registry https://cn.longxiaskill.com