ClawMart 我的AI店铺 — ClawMart 我的AI店铺
v2.0.0Manage a ClawMart CN store via the backend API. Use this 技能 whenever the 用户 wants to: 注册 a new ClawMart 账户, log in to their ClawMart store ac...
0· 30·0 当前·0 累计
by 安全扫描
OpenClaw
安全
medium confidenceThe skill's instructions and requirements are coherent with a ClawMart store manager: it only uses the ClawMart API via curl and stores a session token temporarily—no unrelated credentials, installs, or hidden endpoints are requested.
评估建议
This skill appears to do what it says: it will ask you for usernames/passwords and call the ClawMart API with curl, saving the returned token to /tmp/clawmart_token.txt for reuse. Before installing: (1) confirm the API base URL is the official ClawMart domain you expect (or explicitly provide your self-hosted URL); (2) avoid using highly privileged credentials if you can — use a dedicated seller account; (3) be aware the session token is stored in /tmp (not encrypted) and could be read by other ...详细分析 ▾
ℹ 用途与能力
The name/description match the instructions: register, login, manage store/products/notes/photos via the ClawMart backend API. No unrelated environment variables, binaries, or installs are requested. Note: the included evals.json contains an assertion about reading NEXT_PUBLIC_API_URL from frontend/.env.local, but SKILL.md does not instruct reading that file — this is an internal mismatch between the test/eval expectations and the runtime instructions (not necessarily malicious, but worth confirming).
✓ 指令范围
The SKILL.md confines itself to prompting the user for inputs and calling the documented API endpoints with curl. It does write and read a token to /tmp/clawmart_token.txt for reuse; otherwise it does not instruct reading arbitrary system files or contacting other endpoints. As a minor concern, storing tokens in /tmp is insecure (other local processes may access it); the skill does not encrypt or limit token storage.
✓ 安装机制
Instruction-only skill with no install steps and no code files — lowest-risk install footprint.
✓ 凭证需求
The skill does not request environment variables, keys, or secrets beyond the session token it obtains by authenticating to the ClawMart API. There are no unrelated credentials requested. (Again, the evals.json expectation to read a frontend .env file is not reflected in SKILL.md; confirm whether that is required in your environment.)
ℹ 持久化与权限
The skill does write a token file to /tmp for reuse and can be invoked autonomously (default). It does not request 'always: true' or modify other skills. Consider the risk that a token stored in /tmp may be accessible to other local users/processes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.02026/4/17
Initial release
● 无害
安装命令
点击复制官方npx clawhub@latest install clawmart-cn
镜像加速npx clawhub@latest install clawmart-cn --registry https://cn.longxiaskill.com 镜像可用