← Back to Skills Marketplace
skyfile

淘宝返利

by wuweizhen · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
100
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install taobao-rebate
Description
返利宝统一技能。只按 3 个用户场景工作:S01 授权与教程、S02 链接返利、S03 商品搜索。用户说“返利”“教程”“详细教程”“提现教程”“提现10元”“确认提现”“我已授权”“账户余额”等走 S01;发送淘宝、京东、拼多多商品链接走 S02;表达想买什么商品时走 S03。S03 的职责是提取商品搜索信息,...
Usage Guidance
This skill appears to implement a typical rebate/link workflow (recognize links, search products, generate rebate links, and handle withdraws), but it depends on an external backend hosted at xiaomaxiangshenghuo.io.mlj130.com that is not documented in the skill metadata. Before installing or enabling the skill: 1) Verify the backend/service owner (homepage, source repo, or vendor) to ensure you trust that domain; 2) be cautious about performing the 'WeChat authorization' flow the skill prompts — it will send a machine-specific code to that third-party site and may bind your openid; 3) avoid running the documented 'npm install' build step in a privileged environment — prefer inspecting the bundled code or running in an isolated sandbox; 4) review what personal identifiers you will expose (machine code, openid) and where local binding files are stored; 5) if you can't validate the backend and operator, consider not installing or running the skill. If you want, I can help: a) enumerate the exact network endpoints the code calls, b) search public records for the domain owner, or c) point out exactly which files implement the auth flow so you can review them line-by-line.
Capability Analysis
Type: OpenClaw Skill Name: taobao-rebate Version: 1.0.1 The skill bundle implements a rebate assistant for Chinese e-commerce platforms but contains high-risk patterns. Specifically, `scripts/common.js` reads the global `openclaw.json` configuration file to retrieve sensitive LLM provider API keys and uses `child_process.spawnSync` to execute `curl` for network requests, including an option to bypass SSL verification (`insecure` flag). While these capabilities are used to facilitate product searching and intent recognition via the backend at `mlj130.com`, the practice of a skill bundle accessing global platform secrets and using shell-adjacent commands for network I/O represents a significant security risk and potential for abuse.
Capability Assessment
Purpose & Capability
Name/description (淘宝返利 / rebate assistant) aligns with the included scripts: link recognition, product search, rebate-link creation, balance and withdraw flows. However the implementation embeds hard-coded backend URLs (xiaomaxiangshenghuo.io.mlj130.com) and a web-based auth landing flow instead of requiring declared API credentials; that is plausible for this product but should have been documented in metadata (homepage, required endpoints).
Instruction Scope
SKILL.md directs the agent to invoke specific local CLI scripts and to return script stdout verbatim. The scripts themselves perform network calls to a rebate backend, resolve short links, save/load local openid bindings, and may ask the user to follow an external WeChat landing page. The instructions do not ask the agent to read arbitrary system files, but they do force returning third-party content unchanged and to provide auth URLs that embed a machine code — both increase privacy/anti-phishing risk.
Install Mechanism
There is no formal install spec (instruction-only), but SKILL.md documents build steps that run 'npm install' and 'npm run build' in the skill workspace. Running npm install will fetch packages from public registries (network fetch) and execute build scripts — this is a moderate-risk install path that is not captured in the skill metadata. The distributed bundle already contains many JS files, but the documented build step should be treated as a potential supply-chain risk.
Credentials
The skill declares no required env vars or credentials, and instead relies on a machine-specific code and a web-based WeChat auth flow (machinecode passed as query parameter to an external auth URL). While not requesting user secrets directly, the skill will cause the user to visit/authorize on an external site and stores an openid binding locally — reasonable for this service but disproportionate to the lack of any documented backend or homepage. Hard-coded external URLs and implicit trust in that backend raise privacy/credential risks (exfiltration of machine code / openid).
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or global agent settings. It persists a local 'machineCode' and openid binding within its workspace (expected for an auth flow). Autonomous invocation is enabled by default (normal) and not in itself flagged here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install taobao-rebate
  3. After installation, invoke the skill by name or use /taobao-rebate
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
**提现流程和话术升级:本版本新增提现流程路由与话术,完善对提现场景(如“提现10元”“确认提现”)的识别与处理。**
v1.0.0
Initial release of rebate-assistant (返利宝) skill. - Focuses on three user scenarios: S01 (authorization/tutorial), S02 (rebate via product links), and S03 (product search). - Implements strict routing rules and output constraints for consistent user experience. - S01: Handles onboarding, authorization, tutorials, and balance inquiries. - S02: Processes Taobao, JD, and Pinduoduo product links for rebate link generation. - S03: Extracts product search intent from user queries and returns structured search input. - Exposes unified entry script and enforces markdown-formatted responses with no extra explanations.
Metadata
Slug taobao-rebate
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is 淘宝返利?

返利宝统一技能。只按 3 个用户场景工作:S01 授权与教程、S02 链接返利、S03 商品搜索。用户说“返利”“教程”“详细教程”“提现教程”“提现10元”“确认提现”“我已授权”“账户余额”等走 S01;发送淘宝、京东、拼多多商品链接走 S02;表达想买什么商品时走 S03。S03 的职责是提取商品搜索信息,... It is an AI Agent Skill for Claude Code / OpenClaw, with 100 downloads so far.

How do I install 淘宝返利?

Run "/install taobao-rebate" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 淘宝返利 free?

Yes, 淘宝返利 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 淘宝返利 support?

淘宝返利 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 淘宝返利?

It is built and maintained by wuweizhen (@skyfile); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments