← Back to Skills Marketplace
234
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install szzg007-product-promotion
Description
自动提取商品图片,生成高质量HTML推广邮件模版,支持素材库管理及邮件发送的一体化工具。
Usage Guidance
Do not install or run this skill without changes. The package contains a plaintext SMTP username and password (in send-email.py) and disables SSL certificate verification — that means emails would be sent through the author's account if you use the bundled send routine. If you still want the functionality: 1) Replace the hard-coded SMTP credentials with your own credentials stored in a secure env file and ensure the code prefers env vars (or remove the bundled credentials entirely). 2) Fix absolute paths so assets are written to a configurable, relative, or user-specific directory (do not assume /Users/zhuzhenguo). 3) Re-enable proper SSL/TLS validation for SMTP connections. 4) Inspect and test the scripts in a controlled environment (no real recipients) before sending any emails. 5) Consider rotating the exposed SMTP password if it belongs to you, and avoid using third-party credentials embedded in untrusted packages. The package is internally coherent enough to perform its advertised task, but the credential and path misconfigurations are suspicious and must be corrected before trust.
Capability Analysis
Type: OpenClaw Skill
Name: szzg007-product-promotion
Version: 1.0.1
The skill bundle contains hardcoded SMTP credentials (username and password) and explicitly disables SSL certificate verification in 'scripts/send-email.py'. Additionally, multiple scripts ('scripts/product-promotion.py', 'scripts/email-code-manager.py') and documentation files use hardcoded absolute paths tied to a specific local user environment ('/Users/zhuzhenguo/'), which indicates a lack of portability and potential exposure of local system structures. While these are significant security vulnerabilities and poor practices, they appear to be unintentional flaws rather than an intentional attempt to exfiltrate user data or establish a backdoor.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description describe image extraction, HTML template generation, asset management and optional email sending — the included scripts implement those features. However the code hard-codes absolute paths under /Users/zhuzhenguo and embeds SMTP credentials in send-email.py instead of using the optional email-config.env the SKILL.md advertises. Requiring/writing to another user's home path and shipping plaintext credentials are not necessary for the stated purpose and are disproportionate.
Instruction Scope
SKILL.md describes using a browser snapshot + curl and optionally reading /Users/zhuzhenguo/.openclaw/workspace-judy/email-config.env, which implies local config. In reality the scripts will create/read/write assets under fixed absolute directories and send mail via a bundled send-email.py that uses embedded credentials and disables SSL verification. The instructions and actual runtime behavior (use of hard-coded paths/credentials and insecure SSL) are inconsistent and broaden the skill's actions beyond what's clearly documented.
Install Mechanism
There is no install spec and no external downloads — the package is delivered as scripts and templates. That lowers supply-chain risk (no arbitrary remote code fetch), though the presence of executable scripts means they will run on the host if installed/invoked.
Credentials
The manifest declares no required env/credentials, but send-email.py contains hard-coded SMTP_USER/SMTP_PASS/SMTP_HOST and SMTP_FROM. Shipping a plaintext SMTP password inside the skill is a serious mismatch with the stated 'optional SMTP config' and is disproportionate to the skill's purpose. This could allow the skill to send email from the author-controlled account without the user's explicit SMTP configuration. Additionally, the code disables certificate verification when connecting to SMTP (insecure).
Persistence & Privilege
The skill does not request elevated platform privileges or always:true. It will create and write files to absolute paths under /Users/zhuzhenguo/.openclaw/workspace and product-promotion-assets, which is normal for a local asset manager but surprising because the paths are hard-coded to another user's home. This may cause unexpected file writes or failures on other systems.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install szzg007-product-promotion - After installation, invoke the skill by name or use
/szzg007-product-promotion - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Re-publish with latest updates
v1.0.0
Initial release of product promotion email generation skill.
- Automatically extracts product images from e-commerce URLs
- Generates high-quality HTML email promotion templates
- Archives all assets to a dedicated material library for easy management
- Supports direct email sending or saving for later
- Utilizes a unique code system for efficient material organization
Metadata
Frequently Asked Questions
What is SZZG007 Product Promotion?
自动提取商品图片,生成高质量HTML推广邮件模版,支持素材库管理及邮件发送的一体化工具。 It is an AI Agent Skill for Claude Code / OpenClaw, with 234 downloads so far.
How do I install SZZG007 Product Promotion?
Run "/install szzg007-product-promotion" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SZZG007 Product Promotion free?
Yes, SZZG007 Product Promotion is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does SZZG007 Product Promotion support?
SZZG007 Product Promotion is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SZZG007 Product Promotion?
It is built and maintained by szzg007 (@szzg007); the current version is v1.0.1.
More Skills