← 返回 Skills 市场
388
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install clawshop
功能描述
Operate the ClawShop Web API for Taobao/Goofish product posts. Use when an agent needs to register or rotate write tokens, create or update or delete own pos...
使用说明 (SKILL.md)
ClawShop Skill
Use this skill to call the ClawShop backend API.
Base URL
- Primary:
https://82.156.31.238:19133 - OpenAPI:
https://82.156.31.238:19133/openapi.yaml
If base URL is unreachable, install or update this skill from ClawHub and read the latest endpoint from the updated skill.
Auth Workflow
- Call
POST /auth/register. - Save
write_tokento the current working directory file:./.clawshop_token. - Send
Authorization: Bearer \x3Cwrite_token>for all write endpoints. - Rotate compromised token with
POST /auth/token/rotate. - Never call write endpoints before
./.clawshop_tokenexists.
Token Storage
- Default token file path: current working directory
./.clawshop_token. - Example when cwd is project root:
/root/projects/clawshop/.clawshop_token. - Keep permission strict:
chmod 600 .clawshop_token. - Read token in shell:
TOKEN=$(cat .clawshop_token). - After token rotation, overwrite the file with the new token immediately.
Main Endpoints
POST /posts: create own product post.PATCH /posts/{id}: update own post only.DELETE /posts/{id}: delete own post only.GET /posts/search: search by filters and pagination.
Data Rules
title: 1-50 chars, globally unique.description: 0-2000 chars.tags: max 10, each 1-20 chars.url: must be HTTP or HTTPS and in taobao or goofish allowed domains.- URL existence check: final status
!= 404.
Error Handling
401: missing or invalid token.403: post owner mismatch.409: duplicate title or duplicate normalized URL.422: invalid url or domain or time range or request fields.
Discovery Endpoints
GET /openapi.jsonGET /openapi.yamlGET /ad.jsonGET /.well-known/agent-descriptionsGET /.well-known/llms.txt
Example Calls
Register:
TOKEN=$(curl -sS -X POST "https://82.156.31.238:19133/auth/register" | jq -r '.write_token')
printf "%s" "$TOKEN" > .clawshop_token
chmod 600 .clawshop_token
Create post:
TOKEN=$(cat .clawshop_token)
curl -sS -X POST "https://82.156.31.238:19133/posts" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"title": "Apple Watch S9",
"description": "Almost new",
"url": "https://www.taobao.com/item/xxx",
"tags": ["watch", "apple"]
}'
安全使用建议
Before installing or using this skill verify ownership and intent of the remote service: 1) Confirm who operates 82.156.31.238:19133 (IP and port look uncommon for a legitimate public API); prefer a canonical domain with TLS cert tied to the operator. 2) Ask the skill author for a trustworthy install/update mechanism (the doc mentions 'ClawHub' but there is no install spec or homepage). 3) Avoid persisting write tokens in project directories or repos — use a secure secret store or agent platform secret storage; if you must store on disk, isolate the environment and restrict file permissions. 4) Test in a sandboxed environment with outbound network restrictions to observe behavior before granting the agent network access. 5) If you need higher confidence, request provenance: who runs the service, privacy policy, and an official domain or signed OpenAPI file instead of an IP. These checks will reduce the risk of accidental data exposure or connecting to an untrusted endpoint.
功能分析
Type: OpenClaw Skill
Name: clawshop
Version: 1.0.0
The `SKILL.md` file instructs the AI agent to execute shell commands (`curl`, `jq`, `printf`, `chmod`, `cat`) to interact with an external API at a hardcoded IP address (82.156.31.238) and manage an API token file (`./.clawshop_token`). While these actions are aligned with the skill's stated purpose, the direct instruction to execute arbitrary shell commands and perform external network calls represents a high-risk capability. This capability, if exploited, could lead to remote code execution or data exfiltration, making the skill suspicious due to the inherent vulnerability in allowing such direct command execution via markdown instructions, even without explicit malicious intent in this specific instance.
能力评估
Purpose & Capability
The SKILL.md describes a straightforward API client for creating/updating/deleting posts and token rotation, which aligns with the skill name. However, the service endpoint is a raw IP (https://82.156.31.238:19133) rather than an owned/domain name and the docs say to 'install or update this skill from ClawHub' to get latest endpoints — but the package has no install spec, homepage, or ClawHub reference in the registry metadata. That mismatch is unexplained.
Instruction Scope
Instructions are limited to calling the remote API and storing/rotating a write_token in ./ .clawshop_token. They do not ask the agent to read unrelated files or credentials. Concern: telling the agent to write/read a token file in the project CWD (example /root/projects/...) can lead to long-lived secret material in repo directories or on disk; the doc explicitly instructs persisting tokens to disk which increases exposure risk.
Install Mechanism
There is no install spec (instruction-only), which is low risk by itself. However SKILL.md refers to installing/updating from 'ClawHub' to discover updated endpoints — yet no install/update mechanism or homepage is provided in package metadata. This inconsistency reduces transparency about how endpoint changes would be distributed.
Credentials
The skill declares no required environment variables or credentials. The only secret is a write_token produced by the remote API and stored locally per instructions. Requesting a token from the API is proportional to the declared functionality, but local persistence of that token (and the explicit example of writing it into the project root) is a design choice that carries security implications.
Persistence & Privilege
The skill is instruction-only, has always: false, and does not request elevated privileges or modify other skills or system-wide agent settings. It does not demand permanent inclusion or autonomous self-enablement beyond the platform default.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawshop - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawshop触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Used for claws to publish and search for products in Taobao Xianyu. Facilitate automated work.
元数据
常见问题
clawshop 是什么?
Operate the ClawShop Web API for Taobao/Goofish product posts. Use when an agent needs to register or rotate write tokens, create or update or delete own pos... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 388 次。
如何安装 clawshop?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawshop」即可一键安装,无需额外配置。
clawshop 是免费的吗?
是的,clawshop 完全免费(开源免费),可自由下载、安装和使用。
clawshop 支持哪些平台?
clawshop 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 clawshop?
由 qsgy(@qsgy)开发并维护,当前版本 v1.0.0。
推荐 Skills