← Back to Skills Marketplace
85
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cross-border-intel
Description
面向跨境卖家的选品与竞品情报助手,自动监控 Amazon ASIN 动态并追踪 TikTok 爆品趋势
README (SKILL.md)
跨境选品情报助手
面向跨境卖家的本地化情报工作台,持续追踪 Amazon 竞品价格、BSR 与评价变化,并捕捉 TikTok 爆品信号,帮助你更快发现机会、验证选品和跟进竞品动作。
命令
/intel_add \x3Ctype> \x3Cvalue>
添加需要长期追踪的 Amazon ASIN 或 TikTok 关键词。
/intel_add asin B0XXXXXXXXX— 添加 Amazon ASIN/intel_add keyword "kitchen gadgets"— 添加 TikTok 品类关键词
/intel_list
查看当前监控清单与追踪范围。
/intel_remove \x3Ctype> \x3Cvalue>
从监控清单中移除目标。
/intel_report [daily|weekly]
手动生成日报或周报,快速复盘市场变化。
/intel_scan
立即执行一次全量扫描并刷新最新情报。
自动化
- 每天 08:00 自动扫描 Amazon 竞品数据
- 每天 20:00 自动扫描 TikTok 趋势数据
- 当价格变动 >5%、BSR 变动 >30% 或 TikTok 视频播放 >100 万时自动触发告警
- 每周一 09:00 自动生成周报,沉淀关键趋势与机会点
Usage Guidance
Key issues to consider before installing:
- The code will attempt to read your OpenClaw gateway token (from OPENCLAW_GATEWAY_TOKEN env or ~/.openclaw/openclaw.json) and uses it as a Bearer token for requests to https://api.haixia.ai. If that gateway token is sensitive (authenticates your OpenClaw instance or other skills), installing this skill could expose it to an external service.
- SKILL.md does not mention any credential use or external backend. The required binaries listed in SKILL.md (python3, curl, jq) do not match the JavaScript implementation, indicating sloppy or incomplete packaging/documentation.
- The skill persists data locally (a SQLite DB under your OpenClaw state directory). That is expected, but combined with the gateway-token usage it could leak sensitive context along with the token.
What to do if you consider installing:
- Don’t install in a production environment or on a machine with sensitive OpenClaw credentials until you verify the backend. Run it in an isolated sandbox or VM first.
- Inspect the code yourself (you have the package sources). Search for getIntelApiUrl, loadGatewayToken, OPENCLAW_GATEWAY_TOKEN and api.haixia.ai usage. Confirm whether the external endpoint is trustworthy and why the gateway token is needed.
- If you need this skill but want to limit risk: create a separate, limited gateway token (if OpenClaw supports that) for this skill, or set INTEL_API_URL to a trusted internal endpoint, or unset OPENCLAW_GATEWAY_TOKEN so the skill cannot access your main token.
- Contact the publisher/owner (manifest lists owner 'beansmile' and npmPackageName '@beansmile/skill-cross-border-intel') and ask for a clear declaration of what credentials are required and why data is sent to api.haixia.ai. Verify the package provenance (npm or repo) before trusting it.
Given the clear mismatch between documentation and behavior (token reading + remote calls), treat this skill as suspicious until provenance and credential usage are clarified.
Capability Analysis
Type: OpenClaw Skill
Name: cross-border-intel
Version: 1.0.0
The skill reads the OpenClaw gateway token from the user's global configuration file (~/.openclaw/openclaw.json) and transmits it to an external endpoint (api.haixia.ai) for authentication. While the architecture documentation claims this is for backend 'capability' access, it represents a significant risk of credential exfiltration. Additionally, multiple files (scripts/intel_wrapper.sh and test-wrapper.mjs) contain hardcoded absolute paths to a specific developer's local directory (/Users/zhuqiangyi/...), which is highly non-portable and suggests improper packaging. Finally, the database logic in dist/core/database.js uses a manual string-replacement method for SQL parameter binding that is potentially vulnerable to SQL injection.
Capability Assessment
Purpose & Capability
The manifest and SKILL.md describe a local intelligence assistant that monitors Amazon ASINs and TikTok trends. However, much of the implementation delegates data collection to a remote backend (api.haixia.ai) via dist/api/index.js. The SKILL.md did not disclose reliance on an external service or any required credentials. Also the SKILL.md lists required binaries (python3, curl, jq) which are not used by the visible JS code — another mismatch.
Instruction Scope
SKILL.md only documents CLI-like commands and automated scan schedules and makes no mention of reading OpenClaw configuration files or exporting tokens. The code (dist/core/config.js -> loadGatewayToken) will read the OpenClaw config file (~/.openclaw/openclaw.json) or the OPENCLAW_GATEWAY_TOKEN env var and then use that token when calling the external API. That behavior is outside the documented scope and not declared to the user.
Install Mechanism
There is no install spec in the package manifest (instruction-only install spec missing), but the package contains many JS files and references libraries (e.g., sql.js). No network download/installation URLs were found in the provided manifest, so install risk is moderate — the code will expect node-side dependencies at runtime. The lack of an install specification is a usability/traceability concern but not itself direct malicious evidence.
Credentials
SKILL.md declares no required environment variables or credentials, yet the code reads OPENCLAW_GATEWAY_TOKEN or falls back to the user's OpenClaw config file to extract gateway.auth.token and uses it as an Authorization Bearer token for requests to api.haixia.ai. This is disproportionate: a local monitoring skill should not need to read platform gateway tokens unless explicitly documented. Other implicit env vars used in code: OPENCLAW_CONFIG_PATH, OPENCLAW_STATE_DIR, INTEL_API_URL, INTEL_DB_PATH — none declared in SKILL.md.
Persistence & Privilege
The skill creates and writes a local SQLite DB under the derived skill state directory (getSkillStateDir -> local.sqlite3) and will persist watchlists, snapshots and alerts — this is consistent with its stated functionality. It does access the platform OpenClaw config (to load gateway token), which means it reads a configuration file belonging to the platform; that cross-config access is a privilege worth flagging because it enables the token export described above.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cross-border-intel - After installation, invoke the skill by name or use
/cross-border-intel - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
cross-border-intel 1.0.0 — Initial Release
- Launches a localized intelligence tool for cross-border sellers, focused on Amazon and TikTok tracking.
- Enables monitoring of Amazon ASIN price, BSR, and review changes, plus TikTok product trends.
- Provides commands to add, remove, list, and report on tracked ASINs or keywords.
- Supports immediate and scheduled scans; issues alerts for significant changes.
- Delivers daily and weekly automated scanning and reporting routines.
Metadata
Frequently Asked Questions
What is cross-border-intel?
面向跨境卖家的选品与竞品情报助手,自动监控 Amazon ASIN 动态并追踪 TikTok 爆品趋势. It is an AI Agent Skill for Claude Code / OpenClaw, with 85 downloads so far.
How do I install cross-border-intel?
Run "/install cross-border-intel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is cross-border-intel free?
Yes, cross-border-intel is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does cross-border-intel support?
cross-border-intel is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created cross-border-intel?
It is built and maintained by leif Yi (@xifengzhu); the current version is v1.0.0.
More Skills