← 返回 Skills 市场

Add to Cart from Bitable

Name: Add to Cart from Bitable
Author: lorpha

作者 Lorpha · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

1059

总下载

当前安装

版本数

在 OpenClaw 中安装

/install addtocartfrombitable

功能描述

从飞书Bitable表格获取商品信息（链接、规格、数量），然后通过浏览器自动化将其加入天猫/淘宝购物车。触发词：加购物车、Bitable商品、批量加购、采购表格。

使用说明 (SKILL.md)

从 Bitable 加入购物车

从飞书多维表格读取商品信息，自动添加到淘宝/天猫购物车。

Bitable 表格要求

默认表格：https://somo-tech.feishu.cn/base/UIdIbPe2RaOQ1tsNIhlcB5ilngc

app_token: UIdIbPe2RaOQ1tsNIhlcB5ilngc
table_id: tblwMnggn0CuboHs

必需字段：

字段名	类型	说明
链接	URL	商品链接（从 `field.link` 取值）
采购规格	Text	要选择的规格文本，必须与页面上的规格选项完全匹配
数量	Number	购买数量

操作流程

1. 获取待处理记录

feishu_bitable_list_records(app_token, table_id, page_size=20)

筛选出有完整 链接、采购规格、数量 的记录。

2. 逐个处理商品

对每条记录执行：

2.1 提取信息

productUrl = record.fields.链接.link
productSpec = record.fields.采购规格
productQuantity = record.fields.数量

2.2 打开商品页面

browser.open(profile='openclaw', targetUrl=productUrl)

等待页面加载完成（约 3-5 秒）。

2.3 使用 evaluate 查找并点击规格

由于页面元素可能动态加载，直接使用 snapshot 可能无法找到。建议优先使用 evaluate 查找包含规格文本的元素并点击。

browser.act(profile='openclaw', request={
    kind: 'evaluate',
    fn: `(specText) => {
        // XPath 查找包含文本的元素
        const xpath = "//*[contains(text(), '" + specText + "')]";
        const result = document.evaluate(xpath, document, null, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
        for (let i = 0; i \x3C result.snapshotLength; i++) {
            const node = result.snapshotItem(i);
            // 尝试点击，如果失败则向上找 clickable 的父元素
            let target = node;
            while (target && target !== document.body) {
                // 检查常见的可点击标签或属性
                if (['A', 'BUTTON', 'LI'].includes(target.tagName) || target.getAttribute('role') === 'button' || target.className.includes('sku')) {
                    target.click();
                    return true;
                }
                target = target.parentElement;
            }
            // 实在不行点击节点本身
            node.click();
            return true;
        }
        return false;
    }`,
    args: [productSpec]
})

2.4 设置数量

同理，使用 evaluate 找到输入框并修改值：

browser.act(profile='openclaw', request={
    kind: 'evaluate',
    fn: `(qty) => {
        const inputs = document.querySelectorAll('input.text-amount, input.mui-amount-input, input[type=number]');
        for (let input of inputs) {
             // 简单的启发式规则：value 是 1 或不为空
             if (input.value) {
                input.value = qty;
                input.dispatchEvent(new Event('input', { bubbles: true }));
                input.dispatchEvent(new Event('change', { bubbles: true }));
                return true;
            }
        }
        return false;
    }`,
    args: [productQuantity]
})

2.5 点击加入购物车

找到"加入购物车"按钮并点击：

browser.act(profile='openclaw', request={
    kind: 'evaluate',
    fn: `() => {
        const buttons = document.querySelectorAll('a, button, div[role=button]');
        for (let btn of buttons) {
            const text = btn.innerText || btn.textContent;
            if (text && (text.includes('加入购物车') || text.includes('加入购物袋'))) {
                btn.click();
                return true;
            }
        }
        return false;
    }`
})

2.6 确认添加

等待 2-3 秒，检查是否出现成功提示或购物车数量变化。

3. 汇报结果

完成后通过 message 工具发送 Telegram 通知：

message(action='send', channel='telegram', to='telegram:1642489086', message='采购商品已加入购物车：\
- 商品1: ✅\
- 商品2: ✅\
...')

改进点：

不再仅依赖 browser.snapshot 返回的静态文本 ref，而是利用 evaluate 在浏览器上下文中直接执行 DOM 操作，提高对动态页面和复杂结构的适应性。
增加了针对规格选择、数量设置和加购按钮的具体 DOM 查找策略。

示例调用

用户说："帮我把采购表格里的商品加入购物车"

读取 Bitable 记录
对每个有效记录执行加购流程 (优先使用 evaluate 策略)
汇报结果

安全使用建议

Before installing: 1) Confirm how Feishu access will be provided — the SKILL.md shows an app_token/table_id but the skill does not declare required credentials; supplying credentials without understanding scope risks data exposure. 2) Check the Telegram notification target (telegram:1642489086): who receives these reports? If you expect notifications to your own account, replace the hardcoded recipient and verify the messaging channel configuration. 3) Understand that the skill executes arbitrary JS in merchant pages (to find and click elements) — while necessary for automation, it can read page content and interact with elements beyond 'add to cart'. Run first in a dry-run or sandboxed browser profile, verify behavior on non-production accounts, and ensure you are logged in to the correct shopping account. 4) Prefer that the skill explicitly declare required env vars (Feishu app token, Telegram bot token) and avoid embedded example tokens in docs; ask the author for clarity or modify the code to prompt for credentials. If you cannot verify the recipient(s) and credential handling, treat the skill as potentially leaking shopping data and proceed cautiously.

功能分析

Type: OpenClaw Skill Name: addtocartfrombitable Version: 1.0.0 The skill opens URLs (`productUrl`) sourced directly from an external Feishu Bitable table without apparent validation or sanitization, as seen in `SKILL.md` and `scripts/index.js`. This creates a vulnerability where a compromised Bitable table could direct the agent's browser to arbitrary malicious websites (e.g., phishing, drive-by downloads), leading to potential security risks for the agent's environment. While the core functionality is benign browser automation, this lack of input validation for URLs constitutes a significant vulnerability, classifying it as suspicious rather than malicious.

能力评估

ℹ Purpose & Capability

The name/description match the code and SKILL.md: both read records and perform browser automation to add items to carts. However, the JS implementation uses a hardcoded sample records array instead of actually calling the Bitable API, while the SKILL.md explicitly references a Bitable app_token and table_id (included inline as examples). The skill does not declare any required credentials even though Feishu access and a messaging integration are described.

⚠ Instruction Scope

Runtime instructions direct the agent to: call feishu_bitable_list_records, execute arbitrary evaluate() JavaScript inside merchant pages (DOM traversal and clicks), and send a Telegram message to a specific recipient id. Executing arbitrary JS in third‑party pages is expected for browser automation, but it can also be used to read page content or interact with elements beyond the stated goal. The SKILL.md also instructs sending notifications to a hardcoded external Telegram target (telegram:1642489086), which is an unexpected external endpoint and could leak data if not intended.

✓ Install Mechanism

This is an instruction-only skill with a small included script; there is no install spec, no external downloads, and no package installs. Nothing is written to disk by an installer here — low install risk.

⚠ Credentials

The skill declares no required environment variables or credentials, yet the SKILL.md references a Feishu app_token/table_id and uses a messaging tool that likely requires a Telegram bot token or configured channel. The app_token/table_id included in the doc appear to be example values (but are in plaintext), and the Telegram recipient is hardcoded; the skill should have explicitly declared which credentials it needs and why. The omission is a proportionality/information mismatch that could hide where secrets must be supplied or where data will be sent.

✓ Persistence & Privilege

The skill does not request always:true or any persistent system-wide privileges. It relies on the platform's browser and messaging tools and does not attempt to modify other skills or system configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install addtocartfrombitable
安装完成后，直接呼叫该 Skill 的名称或使用 /addtocartfrombitable 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial publish: Bulk add items to Taobao/Tmall cart from Feishu Bitable.

元数据

Slug addtocartfrombitable

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题