← Back to Skills Marketplace
171
Downloads
1
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install vipshop-promotion-search
Description
唯品会(vip.com)促销活动查询技能。当用户想了解唯品会当前或近期活动信息时触发,包括但不限于: 查活动、看特卖、有没有促销、419/618/双11/周年庆/双12等大促信息、品牌特卖专场、限时狂秒、 今天什么在打折、哪些品牌在搞活动、活动什么时候结束等。 返回活动名称、活动时间、参与品牌、活动链接等结构化信...
Usage Guidance
This skill's code matches its purpose: it reads a local tokens.json, uses the vip.com API, and formats results. The red flag is the runtime requirement to automatically install and invoke a separate vipshop-user-login skill (via 'clawhub install' or running '../vipshop-user-login/scripts/vip_login.py') and to proceed without explicit user consent. Before installing or enabling this skill, consider: 1) Require explicit user permission before any automatic install or execution of other skills. 2) Inspect the vipshop-user-login skill code and confirm its provenance (clawhub registry source). 3) Avoid allowing the agent to run relative-path scripts outside the skill directory unless you trust the source. 4) If you want to limit risk, run the login step manually and place a verified tokens.json at ~/.vipshop-user-login/tokens.json so the skill can run read-only queries. 5) If you must allow auto-login, review and verify the vipshop-user-login installer and runtime behavior first.
Capability Analysis
Type: OpenClaw Skill
Name: vipshop-promotion-search
Version: 1.0.5
The skill facilitates Vipshop promotion searches but contains high-risk instructions in SKILL.md that command the AI to automatically install external skills ('clawhub install vipshop-user-login') and execute scripts from sibling directories ('../vipshop-user-login/scripts/vip_login.py') if a login is missing. The Python script (promotion_search.py) reads sensitive authentication tokens from '~/.vipshop-user-login/tokens.json' to interact with 'api.union.vip.com'. While these behaviors are plausibly intended for a seamless user experience, the automated installation of dependencies and cross-skill execution instructions represent a significant attack surface for potential supply-chain or prompt-injection exploitation.
Capability Assessment
Purpose & Capability
The code and SKILL.md align with the stated purpose: querying vip.com promotion API and summarizing results. Requiring a login cookie and reading ~/.vipshop-user-login/tokens.json is coherent with accessing a protected API. However, the skill also mandates auto-installation and invocation of a different skill (vipshop-user-login) which is more than a simple dependency and deserves scrutiny.
Instruction Scope
The SKILL.md requires the agent to automatically detect login state, and if not logged in, to (without asking the user) install and invoke vipshop-user-login via 'clawhub install' or execute a sibling script ('../vipshop-user-login/scripts/vip_login.py --blocking'). That grants the agent authority to modify installed skills and execute code outside the skill's directory — scope creep beyond a read-only query skill.
Install Mechanism
There is no formal install spec in the registry for this skill, but the instructions tell the agent to run 'clawhub install vipshop-user-login' or execute a relative path script. Using clawhub may be legitimate, but the skill's implicit install-of-another-skill is not declared and executing a relative script path (../...) can run arbitrary code from outside the package — this raises elevated risk.
Credentials
The skill does not request environment variables or secrets in the manifest. It reads a specific local token file (~/.vipshop-user-login/tokens.json) to obtain cookies for the vip.com API; that is proportional to authenticating requests. The skill does not exfiltrate tokens to other endpoints in its code.
Persistence & Privilege
Although always:false and no persistent privileges are declared, the SKILL.md explicitly instructs installing and invoking another skill and executing its login script. That behavior modifies the agent environment (installs a skill, runs code) and can increase blast radius; auto-installation/invocation without explicit user consent is a privileged action and should be treated cautiously.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install vipshop-promotion-search - After installation, invoke the skill by name or use
/vipshop-promotion-search - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
- 增加了活动图片(bannerImg)字段的提取和展示,所有活动信息中新增图片链接。
- 用户查询促销活动时,将会在每个活动下显示对应的活动图片链接。
- 其余用法、流程、输出格式保持不变,依然支持自动登录与智能分组分析。
- 文档相关字段描述与用户输出展示均更新,明确包含活动图片内容。
v1.0.4
No detectable file changes; version unchanged.
- No updates or modifications were made in this release.
- Functionality, workflow, and user experience remain the same as the previous version.
v1.0.3
No file changes detected for version 1.0.3.
- No updates or modifications in code or documentation were made in this version.
v1.0.2
No code or SKILL.md changes detected in this version.
- No functional or documentation updates—no changes since the previous version.
- Behavior, API, and user experience remain the same.
v1.0.1
- 明确要求AI必须先通过use_skill加载本skill规范,再执行脚本或返回结果,严禁绕过skill流程直接处理数据。
- 未登录时自动触发登录流程、优先通过vipshop-user-login skill,禁止让用户手动操作,细化行为规范表述。
- 强化“禁止行为”与“正确行为”区分,强调全程AI主动完成无需用户手动请求。
- 修正登录流程时调用vipshop-user-login的备选脚本路径示例(../vipshop-user-login/scripts/vip_login.py --blocking)。
- 其余功能、数据接口与输出格式无变化。
v1.0.0
- Initial release of vipshop-promotion-search skill.
- Supports querying current and upcoming vip.com (唯品会) promotional events, including major sales, brand sessions, flash sales, and more.
- Automatically detects login status and triggers the vipshop-user-login skill for QR code login if needed.
- Provides structured results: event name, status, type, time range, participating brands, and direct links.
- Includes intelligent analysis with grouping by status and event type, along with user-friendly summary output.
- Covers user requests for promotional info on other platforms by checking if vip.com has matching event sessions.
Metadata
Frequently Asked Questions
What is 唯品会活动搜索?
唯品会(vip.com)促销活动查询技能。当用户想了解唯品会当前或近期活动信息时触发,包括但不限于: 查活动、看特卖、有没有促销、419/618/双11/周年庆/双12等大促信息、品牌特卖专场、限时狂秒、 今天什么在打折、哪些品牌在搞活动、活动什么时候结束等。 返回活动名称、活动时间、参与品牌、活动链接等结构化信... It is an AI Agent Skill for Claude Code / OpenClaw, with 171 downloads so far.
How do I install 唯品会活动搜索?
Run "/install vipshop-promotion-search" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 唯品会活动搜索 free?
Yes, 唯品会活动搜索 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 唯品会活动搜索 support?
唯品会活动搜索 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 唯品会活动搜索?
It is built and maintained by vip (@viphgta); the current version is v1.0.5.
More Skills