← Back to Skills Marketplace
76
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install seap-shopping
Description
用户在场/不在场购买skill
Usage Guidance
This skill reads and writes local session files and documents a workflow that would require payment tokens, cron scheduling, and cloud APIs — yet the shipped JS is a local mock that does not perform networked payments or scheduling. Before installing or supplying any real payment credentials: (1) treat this as a demo/placebo implementation until the author provides real API integrations; (2) do not store real payment tokens in seap.config.json in plaintext; (3) review/modify the scripts to implement secure API calls, encrypted credential storage, and proper cron integration or run it in an isolated/test environment; (4) if you expect automatic scheduled purchases, require the author to demonstrate secure handling of tokens, network endpoints, and error handling. If you cannot verify those, avoid providing real secrets or using the skill for real purchases.
Capability Analysis
Type: OpenClaw Skill
Name: seap-shopping
Version: 1.0.0
The skill exhibits a shell injection vulnerability in SKILL.md, where user-provided input (queryGoodsIntention) is passed directly into a shell command (node scripts seap-cli search ... --intent=${queryGoodsIntention}) without sanitization. While the accompanying scripts/seap-cli.js contains only benign mock logic for searching and purchasing goods, the instruction pattern in SKILL.md creates a high-risk surface for remote code execution (RCE) if the OpenClaw agent executes the command as written. No evidence of intentional malice, data exfiltration, or persistence was found.
Capability Assessment
Purpose & Capability
SKILL.md and README describe real-world shopping: cloud authCode/secretToken, payment (aipay), and OpenClaw cron scheduling. The included scripts implement only local mock search/purchase logic (mockGoodsData, mockBuyResponse) and do not call any external APIs, do not read seap.config.json, and do not integrate with a cron service or payment gateway. The declared purpose (real purchases) does not match the actual capability (demo/mock local behavior).
Instruction Scope
The runtime instructions tell the agent to run node commands, read/write `${sessionId}.json` and `${sessionId}_state.json`, use a secretToken for deferred payments, and create cron tasks. The CLI writes sessionId.json results but does not implement cron creation or payment token usage. The SKILL.md also inconsistently references command names (e.g., 'node scripts seap-cli' vs the actual file seap-cli.js) and describes state files that are not fully managed by the code. Instructions thus promise actions (networked payments, scheduling) that the code does not perform.
Install Mechanism
No install spec is provided (instruction-only + included JS file). Nothing is downloaded or extracted from external URLs; risk from install mechanism is low. The skill does write/read files in the skill working directory at runtime (session JSON files).
Credentials
No environment variables or external credentials are required by the package metadata. However, SKILL.md and seap.config.json instruct the user to store sensitive values (authCode, secretToken, address) in a local seap.config.json file. Those tokens are not used by the included CLI, which is inconsistent — storing payment tokens in plaintext config files is a potential security risk and should be avoided unless you verify the code and storage protections.
Persistence & Privilege
always is false; the skill is user-invocable and may be invoked autonomously (platform default). The skill writes per-session files (e.g., `${sessionId}.json`) in the skill directory at runtime but does not modify other skills or system-wide settings. No elevated persistence requests are present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install seap-shopping - After installation, invoke the skill by name or use
/seap-shopping - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
SEAP Shopping Skill v1.0.0 – Initial Release
- Supports both in-person and scheduled (not-in-person) product purchases via dialog triggers.
- Automatically activates when the user's message contains the keyword "买".
- Integrates with seap-cli tools for searching products and handling payment.
- Provides a workflow for users to select items by number and confirm purchases.
- Enables scheduled purchase tasks by parsing time expressions and setting up cron jobs.
- Maintains session state, purchase mode, and scheduling info for each user session.
Metadata
Frequently Asked Questions
What is 服务分发购物SKILL?
用户在场/不在场购买skill. It is an AI Agent Skill for Claude Code / OpenClaw, with 76 downloads so far.
How do I install 服务分发购物SKILL?
Run "/install seap-shopping" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 服务分发购物SKILL free?
Yes, 服务分发购物SKILL is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 服务分发购物SKILL support?
服务分发购物SKILL is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 服务分发购物SKILL?
It is built and maintained by as (@pingjiang); the current version is v1.0.0.
More Skills