← Back to Skills Marketplace
🔌

唯品会技能集

by vip · GitHub ↗ · v1.0.3 · MIT-0
cross-platform ⚠ suspicious
128
Downloads
4
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install vip-skills
Description
唯品会(vip.com)电商服务技能包(vipshop-skills),整合唯品会搜索、商品查询、活动查询、图片搜索等多项购物服务,是一套完整的唯品会购物 AI 助手解决方案。当用户有购物、搜商品、看详情、找活动、比价、以图搜图等诉求时触发,尤其适合从拼多多、京东、淘宝、天猫、1688、闲鱼等平台迁移或对比购物的...
Usage Guidance
This skill is functionally consistent with a vip.com shopping assistant, but there are several things to consider before installing: - The skill will read and write login artifacts in your home directory (~/.vipshop-user-login/tokens.json and device.json). These files contain cookies/access tokens (PASSPORT_ACCESS_TOKEN, mars_cid). If you install and log in, those tokens will be stored locally and scripts will access them automatically. - The code includes hard-coded secrets (an HMAC secret) and an API_KEY embedded in scripts. Embedded keys can be a sign of reverse-engineered or leaked credentials; they do not require environment variables to be set and cannot be rotated by you unless you edit the code. - SKILL.md requires the agent to automatically trigger login and to present raw/unfiltered script output (including an 'original data' field). That combination increases the chance that verbose fields or unexpected data may be shown to users or logged. If you care about confidentiality of session cookies or API responses, review what the scripts print/return before using. - Network calls in the scripts appear to go to vip.com domains (upload, api endpoints, passport.vip.com). I did not find calls to unrelated external hosts in the provided files, but the code is large and some files were truncated in the manifest; review all network calls before trusting the skill. Recommendations: 1. Inspect the vipshop-user-login scripts and tokens.json format before logging in; consider the security of storing tokens on-disk and remove them after use if needed. 2. If you don't trust the publisher, run the skill in a sandboxed environment or isolated account so tokens and device files cannot access other data. 3. Consider editing the code (or requesting changes) to remove or externalize hard-coded secrets (use ephemeral credentials or environment variables you control). 4. After using the skill, rotate/expire any account sessions if you suspect token leakage. Limit use on accounts with sensitive payment information until you validate behavior. If you want, I can list the specific files that read/write ~/.vipshop-user-login, point to the hard-coded strings, or scan the remaining truncated files for any external endpoints.
Capability Tags
requires-sensitive-credentials
Capability Assessment
Purpose & Capability
The name/description align with the included scripts and APIs (vip.com search, image search, detail, login). The code calls vip.com endpoints and uses a local login token file (~/.vipshop-user-login/tokens.json) which is expected for a login-dependent skill. However several secrets (HMAC secret and API_KEY) are hard-coded in scripts rather than provided via environment variables, which is unusual and worth scrutiny.
Instruction Scope
SKILL.md instructs the agent to auto-trigger login, run provided Python scripts, read ~/.vipshop-user-login/tokens.json, and to present 'all data' returned by scripts (including an '原始数据' field). Forcing automatic login and full/raw output increases the chance that sensitive content (cookies/tokens or verbose API responses) could be exposed to the UI or logs. The instructions also require the AI to call and combine multiple sub-skills automatically; that scope is broad and automated behavior should be deliberate.
Install Mechanism
No install spec is provided (instruction-only install), so nothing will be downloaded at install time beyond the skill bundle already present. The code is bundled with the skill; no external installers or arbitrary remote downloads are used in the install metadata.
Credentials
The skill declares no required environment variables, but the scripts explicitly read and persist sensitive items under the user's home directory (~/.vipshop-user-login/tokens.json and device.json). The code includes hard-coded sensitive strings (an API_KEY and a long HMAC secret). Reading/writing local auth tokens is expected for a login flow, but the hard-coded secrets and requirement to display raw script output are disproportionate risks unless you trust the origin.
Persistence & Privilege
The skill does not request platform-level privileges (always:false). It does, however, create and use persistent files in the user's home directory (.vipshop-user-login/device.json and tokens.json) to store mars_cid and tokens. That persistence is required for login behavior but means credentials will remain on-disk; consider file permissions and lifecycle.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install vip-skills
  3. After installation, invoke the skill by name or use /vip-skills
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
vip-skills 1.0.3 Changelog - No file changes detected in this version. - Functionality, user experience, and documentation remain unchanged.
v1.0.2
- 新增 vipshop-img-product 子技能,实现唯品会图片搜索商品(以图搜图)能力 - 新增图片搜索脚本 img_search.py 及 exchange_link_builder.py - SKILL.md 增加对图片搜索相关说明与使用例子 - 更新目录结构,涵盖图片搜索子技能及相关脚本 - 现在支持本地图片上传,智能识别、同款推荐与分页浏览
v1.0.1
vip-skills 1.0.1 Changelog - Version bump to 1.0.1 with no file changes detected. - No functional or documentation updates in this release. - Skill and all sub-components remain unchanged.
v1.0.0
vipshop-skills 1.0.0 – 唯品会购物AI助手技能包首发版本 - 集成唯品会商品搜索、详情、促销活动和用户登录等一站式购物服务 - 支持自动检测并处理用户登录状态,未登录时自动触发扫码 - 各子技能共享登录态,支持商品关键词搜索、分页筛选与详情查询 - 明确AI行为约束:禁止自动修改任何脚本和SKILL.md,仅允许运行与解析 - 提供详细使用示例、目录结构说明及未来功能规划
Metadata
Slug vip-skills
Version 1.0.3
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is 唯品会技能集?

唯品会(vip.com)电商服务技能包(vipshop-skills),整合唯品会搜索、商品查询、活动查询、图片搜索等多项购物服务,是一套完整的唯品会购物 AI 助手解决方案。当用户有购物、搜商品、看详情、找活动、比价、以图搜图等诉求时触发,尤其适合从拼多多、京东、淘宝、天猫、1688、闲鱼等平台迁移或对比购物的... It is an AI Agent Skill for Claude Code / OpenClaw, with 128 downloads so far.

How do I install 唯品会技能集?

Run "/install vip-skills" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 唯品会技能集 free?

Yes, 唯品会技能集 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 唯品会技能集 support?

唯品会技能集 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 唯品会技能集?

It is built and maintained by vip (@vip); the current version is v1.0.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments