📦 Online Shopping — 在线购物

Name: Online Shopping — 在线购物
Rating: 1

v1.0.0

自动浏览并购买线上商城商品，支持 Cloudflare 防护站点，可搜索、比价、下单，一站式完成网购需求。

1· 662·0 当前·0 累计

by @filipmartinsson (Filip Martinsson)

自动化网络工具

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

high confidence

NULL

评估建议

This skill appears to do what it claims, but it has real system impact and handles sensitive data. Before installing: (1) Review setup.sh because it runs package manager installs (sudo) and npm installs into your OpenClaw path—run it in a VM or controlled environment if you’re cautious. (2) Expect Chrome/Chromium and xvfb to be installed; check the integrity of any npm packages (patchright). (3) The skill will read and persist addresses and payment-method names in references/preferences.md and m...

详细分析 ▾

✓ 用途与能力

The name/description (browse and buy on protected sites) aligns with the included scripts and docs: setup.sh installs xvfb, Patchright, and a browser; browse.mjs uses Patchright to navigate, extract text, screenshot, and operate checkout forms. These requirements are proportionate for the stated goal of bypassing anti-bot detection and automating shopping flows.

ℹ 指令范围

SKILL.md and the scripts instruct the agent to search, extract product info, fill checkout forms, and update a local preferences file with addresses/payment-method names. This stays within the shopping scope but implies handling of sensitive user data (addresses, payment method names) and directs bypassing anti-bot measures (Patchright). The skill explicitly says to stop before paying, which limits risk, but filling payment/checkout forms is intrinsic and sensitive.

ℹ 安装机制

There is no registry install spec, but setup.sh installs Patchright via npm and uses npx to install Chrome/Chromium and system deps; it also installs xvfb via the system package manager (sudo). This is expected for a stealth browser but carries moderate system-level risk (requires sudo, writes into OpenClaw's install path, and downloads packages from npm). No obscure URLs or archive downloads are used.

ℹ 凭证需求

The skill requests no environment variables or external credentials. However it expects and encourages storing user contact/addresses and payment method names in references/preferences.md and may read USER.md. Access to that local sensitive data is proportional for checkout automation but should be considered sensitive by the user.

✓ 持久化与权限

always:false and the skill does not request persistent platform privileges. The installer does modify the local OpenClaw installation directory (npm install patchright) and places a persistent browser context in /tmp, which is standard for this workflow and within scope, but users should be aware of those artifacts.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/23

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install online-shopping

镜像加速npx clawhub@latest install online-shopping --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库