📦 query-1688-product-detail — 查1688商品
v1.0.1通过 AlphaShop API,按商品ID(从URL提取或直接提供)一键获取1688跨境商品完整信息,包括价格、库存、规格、图片与运费模板,支持批量查询并自动处理分页限流,适合选品、比价、铺货等场景。
0· 236·0 当前·0 累计
by 下载技能包
最后更新
2026/3/24
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill's purpose (querying 1688 product details via AlphaShop) matches its network calls, but there is a clear mismatch in how credentials are declared vs how the code reads them. Before installing or using it: 1) Confirm where you must place the keys — the code expects ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY as environment variables, whereas the SKILL.md says to put apiKey/secretKey in the skill entries. 2) Ensure you store the keys securely (prefer the platform's secret storage for s...详细分析 ▾
⚠ 用途与能力
The skill claims to query 1688 product details via the AlphaShop API — that purpose matches the included code and network calls. However, the SKILL.md and README insist configuration is via skill entries using fields named apiKey/secretKey, while the Python code actually reads ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY from environment variables. Registry metadata also lists no required env vars. This mismatch between claimed configuration surface and actual credential inputs is disproportionate and confusing.
⚠ 指令范围
SKILL.md instructs the agent to always use this skill for any 1688 product lookup and to prompt the user for keys if missing. The script instead exits with errors if the keys are not set (no interactive prompt). The SKILL.md also refers to storing keys in skill entries (apiKey/secretKey) but the runtime code looks at environment variables; this divergence means the runtime instructions the agent will actually follow are unclear and may cause failures or accidental disclosure if users put secrets in the wrong place.
✓ 安装机制
There is no install spec (instruction-only install), which reduces installation risk. The package includes a requirements.txt (requests, PyJWT) — expected for the Python script. Nothing in the install footprint suggests downloads from untrusted URLs or arbitrary extracted archives.
⚠ 凭证需求
The skill effectively requires two secrets (AlphaShop access and secret keys), which is reasonable for an API client, but the manifest declared no required env vars and SKILL.md promotes alternate config fields. The code looks for environment variables named ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY, and error messages reference both skill entries and env paths — causing ambiguity about where secrets should live. This ambiguity increases the risk of misconfiguration or secrets being stored in an unexpected location.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system settings, and has no special persistence privileges. It performs only outbound API calls to a single AlphaShop endpoint.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/24
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install query-1688-product-detail
镜像加速npx clawhub@latest install query-1688-product-detail --registry https://cn.longxiaskill.com镜像同步中