拼多多客服助手

拼多多商家客服自动化助手 - 基于 CDP (Chrome DevTools Protocol) 连接真实浏览器、自动登录拼多多商家后台、智能消息回复、售后处理。使用用户日常 Chrome，天然携带登录态，避免平台风控

Key points to consider before installing/running: - CDP proxy exposure: scripts/cdp-proxy.mjs starts an unauthenticated HTTP server (port 3456) exposing endpoints that can evaluate/click/operate the browser. By default it binds to all interfaces; run only on a trusted machine and restrict binding to localhost (or firewall the port) to avoid remote takeover of your browser session. - Undeclared external DB: src/cdb.ts will use process.env.CDB_URL to construct a ConvexClient. This environment variable is not declared in the skill manifest or SKILL.md. If you set CDB_URL it could cause conversation data, buyer info, templates, etc. to be sent to a remote service. Do not set CDB_URL unless you control and trust the endpoint; if you don't need remote storage, consider removing or disabling the CDB module. - Credential storage: SKILL.md instructs editing scripts/config.json to put usernames/passwords/session paths. Those files may be stored locally in plaintext. If you must store credentials, prefer secure OS credential storage, encrypt the config, or ensure file permissions prevent access by other users on the system. - Browser profile / login state: The code's default browser config uses ./browser-data as userDataDir rather than automatically using your daily Chrome profile. The skill's marketing claim that it 'naturally carries login status' is only true if you explicitly point it to your real profile or run Chrome with remote debugging and that profile; be aware of the implications of exposing your real profile to automation. - Audit network exposure & code: Before running, inspect scripts/cdp-proxy.mjs and remove or modify any endpoints you don't need (especially /eval). Prefer launching the tool with Chrome remote debugging bound to localhost only, or avoid running the CDP proxy at all if you do not require it. Search the codebase for other process.env usage and confirm there are no hidden endpoints. - If you are unsure: treat this skill as potentially risky. Run it in an isolated environment (VM or dedicated machine) without sensitive Chrome profiles, and review/disable external persistence (CDB) and the proxy before use.

Type: OpenClaw Skill Name: pinduoduo-cs-assistant-v2 Version: 1.1.1 The skill implements a Pinduoduo merchant automation assistant with high-risk capabilities, including a custom CDP (Chrome DevTools Protocol) proxy server and cloud database integration. The proxy script (scripts/cdp-proxy.mjs) opens a local HTTP server on port 3456 to control browser sessions, including stubs for remote script evaluation (/eval) and screenshots, which could lead to unauthorized browser control if exposed. Additionally, the skill synchronizes sensitive merchant data, buyer conversations, and shop configurations to an external Convex database (src/cdb.ts). While these features align with the stated purpose of a persistent automation tool, the combination of local network listeners and cloud data persistence for sensitive e-commerce sessions constitutes a significant attack surface without clear evidence of malicious intent.