← Back to Skills Marketplace
JD Price Protection 京东自动价保
by
Danielwangyy
· GitHub ↗
· v1.0.0
656
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install jd-price-protect
Description
Auto-apply JD.com (京东) price protection on all eligible orders. Connects to Chrome via OpenClaw Browser Relay CDP, navigates to JD price protection page, cli...
README (SKILL.md)
JD Price Protection
Auto-apply price protection (价格保护) on all eligible JD.com orders via Chrome Browser Relay.
Prerequisites
- Chrome with OpenClaw Browser Relay extension installed and connected (badge ON)
- User must be logged into JD.com in Chrome
- OpenClaw gateway running
Usage
Run the script:
node \x3Cskill-dir>/scripts/price-protect.js
The script will:
- Connect to Chrome via OpenClaw's CDP relay (auto-derives relay token from gateway config)
- Navigate to
https://pcsitepp-fm.jd.com/if needed - Click every "申请价保" button on the page
- Reload and collect results (successes with refund amounts, failures with reasons)
- Output JSON results
Interpreting Results
{
"total": 11,
"clicked": 11,
"success": [{"name": "ANKER 140W充电线...", "amount": "6.00"}],
"failed": [{"name": "KAMAN收纳盒...", "reason": "无差价"}]
}
- Only notify user if
successarray is non-empty (refunds obtained) - If all items show "无差价", update state silently
Scheduled Usage
Set up a cron job to run every ~8 hours. Example agent prompt:
Run
node \x3Cskill-dir>/scripts/price-protect.js. If Chrome relay is disconnected (error), skip silently. If refunds found, notify user. Otherwise update checkedAt silently.
Troubleshooting
- "No browser page available": Chrome relay disconnected. User must click Browser Relay toolbar icon.
- "No gateway token found": Set
GATEWAY_TOKENenv var or ensure~/.openclaw/openclaw.jsonhasgateway.auth.token. - Timeout on clicks: A popup may be blocking. Script presses Escape after each click to dismiss.
How It Works
Derives the relay auth token via HMAC-SHA256(gatewayToken, "openclaw-extension-relay-v1:\x3Cport>"), connects Playwright to Chrome's CDP websocket, then uses getByText('申请价保', {exact: true}).click() to trigger each button.
Usage Guidance
This skill appears to implement exactly what it claims (automatically apply price-protection requests in your JD account) and doesn't contact unexpected remote servers, but take these precautions before installing or running it:
- Code review: inspect scripts/price-protect.js yourself (it's included) or have someone you trust review it before running.
- Gateway token: the script reads your OpenClaw gateway token from ~/.openclaw/openclaw.json or GATEWAY_TOKEN. That token lets the script control your browser via the relay; do not provide it to untrusted skills or services.
- Dependencies: the SKILL.md omits runtime deps — install Node and playwright-core (or ensure your environment already provides it) before running.
- Test manually first: run the script manually while watching the browser to ensure it clicks only expected elements and behaves correctly; do not enable as an unattended cron job until satisfied.
- Run in a contained profile: consider using a separate Chrome profile where only the needed JD account is logged in to limit side effects.
- Scheduled behavior: be aware the script may exit with an error if the gateway/relay is disconnected (contrary to the 'skip silently' phrasing in the doc); wrap cron invocation to handle non-zero exit codes if you want silent behavior.
If you are not comfortable with code that can drive your logged-in browser, do not install or run this skill. If you proceed, keep your gateway token secret and run the script in a controlled environment first.
Capability Analysis
Type: OpenClaw Skill
Name: jd-price-protect
Version: 1.0.0
The skill is classified as suspicious due to the presence of risky capabilities, even though their immediate intent appears benign and aligned with the stated purpose. The `scripts/price-protect.js` file accesses the local file system to read `~/.openclaw/openclaw.json` to obtain the OpenClaw gateway token, and then uses this token to establish a local network connection (`ws://127.0.0.1:<port>/cdp`) for browser automation. While these actions are plausibly needed for the skill's functionality, they represent file system and network access capabilities that could be exploited if the skill's intent were malicious. Additionally, the `SKILL.md` file contains instructions for the AI agent (e.g., 'skip silently', 'update state silently'), which, while used here for benign output control, demonstrate the agent's susceptibility to prompt injection, a general vulnerability.
Capability Assessment
Purpose & Capability
The skill claims to drive JD.com pages via the OpenClaw Browser Relay and the included script does exactly that: derives a relay token, connects to a local CDP websocket, finds/navigates to the JD price-protection page, clicks '申请价保' buttons, and collects results. Required accesses (gateway token or ~/.openclaw/openclaw.json) are coherent with the stated purpose.
Instruction Scope
SKILL.md and the script are aligned on the core workflow. Minor inconsistencies: SKILL.md suggests scheduled runs should 'skip silently' when the Chrome relay is disconnected, but the script throws errors like 'No gateway token found' or 'No browser page available' and exits non-zero—so scheduled behavior may not be as silent as described. The script reads only the gateway token from ~/.openclaw/openclaw.json (or GATEWAY_TOKEN) and otherwise operates only through the browser; it does not call external network endpoints from Node itself.
Install Mechanism
There is no install spec (instruction-only), which reduces surface risk. However the script requires Node and the 'playwright-core' module; neither Node nor dependency installation is documented in SKILL.md. The script tries to require 'playwright-core' (including a fallback path), so users must ensure playwright-core is installed in their environment before running.
Credentials
The script needs only the OpenClaw gateway token (from GATEWAY_TOKEN env var or ~/.openclaw/openclaw.json) to derive the relay token — this is proportional because the relay token is what authorizes CDP access to the user's browser. No other credentials or unrelated secrets are requested.
Persistence & Privilege
The skill does not request persistent 'always' inclusion or modify other skills/config. However it exercises a high-impact capability at runtime: it controls the user's browser (pages and clicks) while the user is logged in to JD. That privilege is expected for this task but is powerful — the script will act with the authority of the logged-in session, so the user should only run it for trusted code and contexts.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install jd-price-protect - After installation, invoke the skill by name or use
/jd-price-protect - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: auto-click all price protection buttons on JD.com, supports pagination and cron scheduling.
Metadata
Frequently Asked Questions
What is JD Price Protection 京东自动价保?
Auto-apply JD.com (京东) price protection on all eligible orders. Connects to Chrome via OpenClaw Browser Relay CDP, navigates to JD price protection page, cli... It is an AI Agent Skill for Claude Code / OpenClaw, with 656 downloads so far.
How do I install JD Price Protection 京东自动价保?
Run "/install jd-price-protect" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is JD Price Protection 京东自动价保 free?
Yes, JD Price Protection 京东自动价保 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does JD Price Protection 京东自动价保 support?
JD Price Protection 京东自动价保 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created JD Price Protection 京东自动价保?
It is built and maintained by Danielwangyy (@danielwangyy); the current version is v1.0.0.
More Skills