← Back to Skills Marketplace
Ecommerce Logistics
by
charles-lpf
· GitHub ↗
· v1.0.0
· MIT-0
113
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ecommerce-logistics
Description
Aggregate logistics information from Taobao, JD, PDD, and Douyin. One-click query for multi-platform order tracking. Supports persistent cookie storage and Q...
README (SKILL.md)
E-commerce Logistics Aggregator(电商物流聚合)
Query order logistics from Taobao, JD.com, Pinduoduo, and Douyin with persistent authentication.
Features
- 🔗 Multi-platform: Taobao, PDD (JD & Douyin not supported due to anti-bot)
- 🔒 Persistent login: Cookie storage, no repeated logins
- 🛡️ Stealth mode: Bypass basic anti-bot detection
- ⏱️ Rate limiting: Built-in request throttling
- 📱 QR login: Graceful handling of expired sessions
- 🚚 In-transit filter: Only show orders currently in transit
Setup
# Install dependencies
cd scripts && npm install
# Required environment variables (optional, for headless operation)
export ECOM_LOGISTICS_DATA_DIR="$HOME/.ecommerce-logistics"
Usage
First Time: Login to Platforms
cd scripts
# Login to Taobao (opens browser for QR scan)
npm run query -- --platform taobao --login
# Login to PDD
npm run query -- --platform pdd --login
# Note: JD and Douyin are not supported due to strict anti-bot measures
Query Logistics
# Query all platforms (requires prior login)
npm run query -- --all
# Query specific platform
npm run query -- --platform taobao
npm run query -- --platform pdd
# Query with custom data directory
npm run query -- --all --data-dir /path/to/cookies
# Run in headless mode (no browser window)
npm run query -- --all --headless
QR Login Process
When cookies are missing or expired:
- The skill opens a browser window with the platform login page
- A QR code screenshot is saved to
~/.ecommerce-logistics/{platform}-qr.png - Scan the QR code with the platform's mobile app
- Complete login in the browser window
- Cookies are automatically saved for future use
Note: If you see "Cookie 已过期,需要重新登录", run the login command again.
Cookie Storage
Cookies are stored encrypted in:
- Default:
~/.ecommerce-logistics/cookies/ - Each platform has separate cookie file
- Auto-refresh on expiration
Architecture
scripts/src/
├── index.ts # CLI entry
├── core/
│ ├── aggregator.ts # Main orchestrator
│ ├── auth-manager.ts # Cookie & QR login
│ ├── rate-limiter.ts # Request throttling
│ └── stealth-browser.ts # Anti-detection browser
├── adapters/
│ ├── base-adapter.ts # Abstract base class
│ ├── taobao-adapter.ts
│ ├── jd-adapter.ts
│ ├── pdd-adapter.ts
│ └── douyin-adapter.ts
└── types/
└── index.ts # TypeScript interfaces
references/
└── selectors.md # Platform-specific CSS selectors
Error Handling
| Error | Handling |
|---|---|
| Cookie expired | Prompt QR re-login |
| Rate limited | Auto-backoff retry |
| Login page detected | Graceful error with instructions |
| Network timeout | 3 retries with exponential backoff |
Platform Support Status
| Platform | Status | Notes |
|---|---|---|
| Taobao | ✅ Available | Order list + logistics info |
| JD | ❌ Unsupported | Anti-bot detection too strict |
| PDD | ✅ Available | Order list + tracking number + pickup code |
| Douyin | ❌ Unsupported | Requires mobile app access |
Implementation Notes
Anti-Detection Measures
The skill implements several stealth techniques:
- navigator.webdriver override - Hides automation flag
- Plugins spoofing - Simulates real browser plugins
- Viewport & User-Agent - Uses realistic desktop/mobile profiles
- Permissions API - Overrides notification permissions
- Playwright-specific cleanup - Removes
__playwrightproperties
Rate Limiting
Each platform has independent rate limits:
| Platform | Max Requests | Window |
|---|---|---|
| Taobao | 10 | 60s |
| JD | 15 | 60s |
| PDD | 8 | 60s |
| Douyin | 10 | 60s |
Cookie Expiration
- Cookies are considered expired after 30 days
- Expired cookies trigger QR re-login prompt
- Each platform stores cookies independently
Development
Updating Selectors
Platform websites change frequently. Update selectors in:
references/selectors.md- Documentationsrc/adapters/*-adapter.ts- Implementation
Testing
# Compile TypeScript
cd scripts && npm run build
# Run in development mode
npm run dev -- --platform taobao
# Debug with visible browser
npm run query -- --platform taobao --headless=false
Usage Guidance
Key things to check before installing or running this skill:
1) Inspect auth-manager.ts to confirm cookies are actually encrypted at rest and to see where encryption keys are stored. If cookies are plaintext, do not use real accounts.
2) Remove or change hardcoded debug paths (e.g., /Users/charles/.ecommerce-logistics/...). Those lines save full HTML and screenshots of authenticated pages and may leak sensitive information. Ensure the skill uses the configured data directory (ECOM_LOGISTICS_DATA_DIR or ~/.ecommerce-logistics) rather than absolute user paths.
3) Run first in an isolated environment (VM or throwaway account) because the skill automates browsers, may download browser binaries (Playwright), and will access/hold your session cookies.
4) Verify there is no code that exfiltrates data to external endpoints (search for fetch/XHR to third-party hosts in auth-manager and stealth-browser). The provided files do not show obvious network exfiltration, but truncated files include auth-manager and stealth-browser — inspect them.
5) Be aware of site policy/legal risk: the tool purposely includes anti-detection/stealth measures to bypass anti-bot checks; this can violate terms of service of the shopping platforms.
6) Note the documentation/code mismatch about JD/Douyin support — expect behavior may differ from the README. If you need only a subset (e.g., PDD/Taobao) consider removing adapters for unsupported platforms.
If you cannot review the missing files yourself, treat this skill as risky and avoid using real credentials or primary accounts until the above concerns are resolved.
Capability Analysis
Type: OpenClaw Skill
Name: ecommerce-logistics
Version: 1.0.0
The skill bundle contains several high-risk indicators and security discrepancies. Most notably, 'douyin-adapter.ts' contains hardcoded absolute file paths to a specific user's directory ('/Users/charles/'), which is a privacy risk and will cause execution failures on most systems. The 'stealth-browser.ts' file explicitly disables critical browser security features, including the Same-Origin Policy ('--disable-web-security'). Additionally, while 'SKILL.md' claims that session cookies are stored encrypted, the implementation in 'auth-manager.ts' saves them as plain-text JSON files, creating a significant credential exposure vulnerability.
Capability Assessment
Purpose & Capability
The skill's purpose is to aggregate logistics for Taobao, JD, PDD, and Douyin and the code includes adapters and a Playwright-based browser to do that — which is coherent. However the SKILL.md and feature table say JD and Douyin are unsupported due to anti-bot measures while the repository contains full JD and Douyin adapters and the aggregator queries all four platforms. That mismatch (documentation vs. code) is an inconsistency that could indicate sloppy maintenance or unexpected functionality.
Instruction Scope
Runtime instructions ask the user to run npm install and run the CLI; the code will launch headful/headless browsers, perform navigation, click/UI-scrape, and persist cookies. Several adapters write debug files (screenshots and full HTML) to disk — notably Douyin adapter saves screenshot and page HTML to an absolute path (/Users/charles/.ecommerce-logistics/...). Those debug writes can capture sensitive pages (including HTML containing tokens, order details) and the path is hardcoded to a specific user, meaning the skill will try to write to unexpected locations. SKILL.md claims cookies are "stored encrypted" but the actual cookie encryption/storage implementation (auth-manager) was not supplied in the truncated listing — you should verify encryption and that nothing is sent to third-party endpoints.
Install Mechanism
There is no automated install spec in registry metadata, but SKILL.md instructs running npm install in scripts/, which will install Playwright. Playwright will download browser binaries (network activity and large downloads) when installed/first-run. Dependencies come from npm and node_modules.lock references registry mirrors; no arbitrary HTTP/extract install URLs were found. This is expected for a Playwright-based tool but increases installation surface compared to an instruction-only skill.
Credentials
The skill declares no required env vars (only an optional ECOM_LOGISTICS_DATA_DIR), which is proportionate. However code writes cookie and debug files into a home-directory path and the Douyin adapter contains hardcoded absolute debug paths under /Users/charles/ rather than honoring the dataDir option — that is unexpected and could leak sensitive HTML/screenshots into a path that may not be on the user's system or might create files in an attacker-observable path if the username matches. No other unrelated credentials are requested in code or SKILL.md.
Persistence & Privilege
The skill persists cookies and other files to the user's filesystem (~/.ecommerce-logistics by default) which is consistent with its purpose (persistent logins). It does not request always:true. Autonomous invocation is allowed by default (platform behavior) but that is not combined with any extra high privileges here. Still, stored cookies are sensitive and must be protected; verify how auth-manager encrypts them and where keys are stored.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ecommerce-logistics - After installation, invoke the skill by name or use
/ecommerce-logistics - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of ecommerce-logistics skill.
- Aggregates logistics data from Taobao and Pinduoduo with persistent cookie storage.
- Supports QR code login for seamless authentication.
- Provides one-click, multi-platform order tracking; filters to show only in-transit orders.
- Implements stealth anti-bot techniques and built-in rate limiting.
- JD and Douyin are not supported due to anti-bot restrictions.
Metadata
Frequently Asked Questions
What is Ecommerce Logistics?
Aggregate logistics information from Taobao, JD, PDD, and Douyin. One-click query for multi-platform order tracking. Supports persistent cookie storage and Q... It is an AI Agent Skill for Claude Code / OpenClaw, with 113 downloads so far.
How do I install Ecommerce Logistics?
Run "/install ecommerce-logistics" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Ecommerce Logistics free?
Yes, Ecommerce Logistics is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Ecommerce Logistics support?
Ecommerce Logistics is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Ecommerce Logistics?
It is built and maintained by charles-lpf (@charles-lpf); the current version is v1.0.0.
More Skills