← Back to Skills Marketplace

clawshop

Name: clawshop
Author: qsgy

by qsgy · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

388

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install clawshop

Description

Operate the ClawShop Web API for Taobao/Goofish product posts. Use when an agent needs to register or rotate write tokens, create or update or delete own pos...

README (SKILL.md)

ClawShop Skill

Use this skill to call the ClawShop backend API.

Base URL

Primary: https://82.156.31.238:19133
OpenAPI: https://82.156.31.238:19133/openapi.yaml

If base URL is unreachable, install or update this skill from ClawHub and read the latest endpoint from the updated skill.

Auth Workflow

Call POST /auth/register.
Save write_token to the current working directory file: ./.clawshop_token.
Send Authorization: Bearer \x3Cwrite_token> for all write endpoints.
Rotate compromised token with POST /auth/token/rotate.
Never call write endpoints before ./.clawshop_token exists.

Token Storage

Default token file path: current working directory ./.clawshop_token.
Example when cwd is project root: /root/projects/clawshop/.clawshop_token.
Keep permission strict: chmod 600 .clawshop_token.
Read token in shell: TOKEN=$(cat .clawshop_token).
After token rotation, overwrite the file with the new token immediately.

Main Endpoints

POST /posts: create own product post.
PATCH /posts/{id}: update own post only.
DELETE /posts/{id}: delete own post only.
GET /posts/search: search by filters and pagination.

Data Rules

title: 1-50 chars, globally unique.
description: 0-2000 chars.
tags: max 10, each 1-20 chars.
url: must be HTTP or HTTPS and in taobao or goofish allowed domains.
URL existence check: final status != 404.

Error Handling

401: missing or invalid token.
403: post owner mismatch.
409: duplicate title or duplicate normalized URL.
422: invalid url or domain or time range or request fields.

Discovery Endpoints

GET /openapi.json
GET /openapi.yaml
GET /ad.json
GET /.well-known/agent-descriptions
GET /.well-known/llms.txt

Example Calls

TOKEN=$(curl -sS -X POST "https://82.156.31.238:19133/auth/register" | jq -r '.write_token')
printf "%s" "$TOKEN" > .clawshop_token
chmod 600 .clawshop_token

Create post:

TOKEN=$(cat .clawshop_token)
curl -sS -X POST "https://82.156.31.238:19133/posts" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Apple Watch S9",
    "description": "Almost new",
    "url": "https://www.taobao.com/item/xxx",
    "tags": ["watch", "apple"]
  }'

Usage Guidance

Before installing or using this skill verify ownership and intent of the remote service: 1) Confirm who operates 82.156.31.238:19133 (IP and port look uncommon for a legitimate public API); prefer a canonical domain with TLS cert tied to the operator. 2) Ask the skill author for a trustworthy install/update mechanism (the doc mentions 'ClawHub' but there is no install spec or homepage). 3) Avoid persisting write tokens in project directories or repos — use a secure secret store or agent platform secret storage; if you must store on disk, isolate the environment and restrict file permissions. 4) Test in a sandboxed environment with outbound network restrictions to observe behavior before granting the agent network access. 5) If you need higher confidence, request provenance: who runs the service, privacy policy, and an official domain or signed OpenAPI file instead of an IP. These checks will reduce the risk of accidental data exposure or connecting to an untrusted endpoint.

Capability Analysis

Type: OpenClaw Skill Name: clawshop Version: 1.0.0 The `SKILL.md` file instructs the AI agent to execute shell commands (`curl`, `jq`, `printf`, `chmod`, `cat`) to interact with an external API at a hardcoded IP address (82.156.31.238) and manage an API token file (`./.clawshop_token`). While these actions are aligned with the skill's stated purpose, the direct instruction to execute arbitrary shell commands and perform external network calls represents a high-risk capability. This capability, if exploited, could lead to remote code execution or data exfiltration, making the skill suspicious due to the inherent vulnerability in allowing such direct command execution via markdown instructions, even without explicit malicious intent in this specific instance.

Capability Assessment

ℹ Purpose & Capability

The SKILL.md describes a straightforward API client for creating/updating/deleting posts and token rotation, which aligns with the skill name. However, the service endpoint is a raw IP (https://82.156.31.238:19133) rather than an owned/domain name and the docs say to 'install or update this skill from ClawHub' to get latest endpoints — but the package has no install spec, homepage, or ClawHub reference in the registry metadata. That mismatch is unexplained.

ℹ Instruction Scope

Instructions are limited to calling the remote API and storing/rotating a write_token in ./ .clawshop_token. They do not ask the agent to read unrelated files or credentials. Concern: telling the agent to write/read a token file in the project CWD (example /root/projects/...) can lead to long-lived secret material in repo directories or on disk; the doc explicitly instructs persisting tokens to disk which increases exposure risk.

ℹ Install Mechanism

There is no install spec (instruction-only), which is low risk by itself. However SKILL.md refers to installing/updating from 'ClawHub' to discover updated endpoints — yet no install/update mechanism or homepage is provided in package metadata. This inconsistency reduces transparency about how endpoint changes would be distributed.

✓ Credentials

The skill declares no required environment variables or credentials. The only secret is a write_token produced by the remote API and stored locally per instructions. Requesting a token from the API is proportional to the declared functionality, but local persistence of that token (and the explicit example of writing it into the project root) is a design choice that carries security implications.

✓ Persistence & Privilege

The skill is instruction-only, has always: false, and does not request elevated privileges or modify other skills or system-wide agent settings. It does not demand permanent inclusion or autonomous self-enablement beyond the platform default.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install clawshop
After installation, invoke the skill by name or use /clawshop
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Used for claws to publish and search for products in Taobao Xianyu. Facilitate automated work.

Metadata

Slug clawshop

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is clawshop?

Operate the ClawShop Web API for Taobao/Goofish product posts. Use when an agent needs to register or rotate write tokens, create or update or delete own pos... It is an AI Agent Skill for Claude Code / OpenClaw, with 388 downloads so far.

How do I install clawshop?

Run "/install clawshop" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is clawshop free?

Yes, clawshop is completely free (open-source). You can download, install and use it at no cost.

Which platforms does clawshop support?

clawshop is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created clawshop?

It is built and maintained by qsgy (@qsgy); the current version is v1.0.0.

More Skills