← Back to Skills Marketplace
hiddenpuppy

日本雅虎拍卖估价

by HiddenPuppy · GitHub ↗ · v1.0.3
cross-platform ⚠ suspicious
1035
Downloads
1
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install yahoo-auction-estimator
Description
日本雅虎拍卖商品估价工具 - 自动获取商品信息、查询历史成交价、计算建议出价
Usage Guidance
This skill appears to do what it claims: it scrapes Yahoo Auctions and aucfree using curl invoked from a Node script, and asks you to set PROXY_SOCKS5 so requests appear to come from Japan. Before installing or running: (1) only set PROXY_SOCKS5 to a proxy you trust (a malicious proxy URL could intercept traffic or, because the proxy string is interpolated into a shell command, could be abused if you set an unexpected value); (2) run the script in an isolated environment or container if you are concerned about network scraping; (3) verify you are comfortable with outbound network access to auctions.yahoo.co.jp and aucfree.com; (4) if you will pass untrusted IDs or environment values, consider reviewing or sanitizing inputs to avoid command-injection risks. Overall the skill is internally consistent and proportionate to its stated purpose.
Capability Analysis
Type: OpenClaw Skill Name: yahoo-auction-estimator Version: 1.0.3 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/estimate.mjs`. User-provided auction IDs from `process.argv` are directly interpolated into a URL string, which is then passed to `execSync` within a `curl` command without proper shell escaping. This allows an attacker to execute arbitrary commands on the host system by crafting a malicious auction ID (e.g., `b1220553804; rm -rf /`). While the skill's stated purpose and network calls to Yahoo Auctions and aucfree.com appear legitimate, the lack of input sanitization for `execSync` constitutes a severe security flaw.
Capability Assessment
Purpose & Capability
Name/description say: fetch Yahoo! Auctions and historical prices and compute suggested bids. Declared requirements (node, curl) and the single env var PROXY_SOCKS5 are consistent with needing outbound HTTP(S) access via a Japanese proxy to reach the data sources.
Instruction Scope
SKILL.md explicitly instructs running the provided Node script and setting PROXY_SOCKS5; the script only reads that env var and performs HTTP fetches of auctions and aucfree pages. The script uses child_process.execSync to call curl — expected for this type of scraper, but this is an execution-time surface to be aware of (see guidance).
Install Mechanism
No install spec or remote downloads. This is instruction-only plus a local script (estimate.mjs). Nothing is fetched or written during install, so install risk is low.
Credentials
Only PROXY_SOCKS5 is required and declared as primaryEnv. That aligns with the stated need to route requests through a Japan-based SOCKS5 proxy. No unrelated credentials or extra env vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills or configs. It runs on invocation and does not attempt to persist or escalate privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install yahoo-auction-estimator
  3. After installation, invoke the skill by name or use /yahoo-auction-estimator
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
使用代理上传 v1.0.3
v1.0.2
通过代理上传
v1.0.1
修复版本号,重新上传
v1.0.0
初始版本:支持雅虎拍卖商品自动估价
Metadata
Slug yahoo-auction-estimator
Version 1.0.3
License
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is 日本雅虎拍卖估价?

日本雅虎拍卖商品估价工具 - 自动获取商品信息、查询历史成交价、计算建议出价. It is an AI Agent Skill for Claude Code / OpenClaw, with 1035 downloads so far.

How do I install 日本雅虎拍卖估价?

Run "/install yahoo-auction-estimator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 日本雅虎拍卖估价 free?

Yes, 日本雅虎拍卖估价 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does 日本雅虎拍卖估价 support?

日本雅虎拍卖估价 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 日本雅虎拍卖估价?

It is built and maintained by HiddenPuppy (@hiddenpuppy); the current version is v1.0.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments