← 返回 Skills 市场

cross-border-intel

Name: cross-border-intel
Author: xifengzhu

作者 leif Yi · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cross-border-intel

功能描述

面向跨境卖家的选品与竞品情报助手，自动监控 Amazon ASIN 动态并追踪 TikTok 爆品趋势

使用说明 (SKILL.md)

跨境选品情报助手

面向跨境卖家的本地化情报工作台，持续追踪 Amazon 竞品价格、BSR 与评价变化，并捕捉 TikTok 爆品信号，帮助你更快发现机会、验证选品和跟进竞品动作。

命令

/intel_add \x3Ctype> \x3Cvalue>

添加需要长期追踪的 Amazon ASIN 或 TikTok 关键词。

/intel_add asin B0XXXXXXXXX — 添加 Amazon ASIN
/intel_add keyword "kitchen gadgets" — 添加 TikTok 品类关键词

/intel_list

查看当前监控清单与追踪范围。

/intel_remove \x3Ctype> \x3Cvalue>

从监控清单中移除目标。

/intel_report [daily|weekly]

手动生成日报或周报，快速复盘市场变化。

/intel_scan

立即执行一次全量扫描并刷新最新情报。

自动化

每天 08:00 自动扫描 Amazon 竞品数据
每天 20:00 自动扫描 TikTok 趋势数据
当价格变动 >5%、BSR 变动 >30% 或 TikTok 视频播放 >100 万时自动触发告警
每周一 09:00 自动生成周报，沉淀关键趋势与机会点

安全使用建议

Key issues to consider before installing: - The code will attempt to read your OpenClaw gateway token (from OPENCLAW_GATEWAY_TOKEN env or ~/.openclaw/openclaw.json) and uses it as a Bearer token for requests to https://api.haixia.ai. If that gateway token is sensitive (authenticates your OpenClaw instance or other skills), installing this skill could expose it to an external service. - SKILL.md does not mention any credential use or external backend. The required binaries listed in SKILL.md (python3, curl, jq) do not match the JavaScript implementation, indicating sloppy or incomplete packaging/documentation. - The skill persists data locally (a SQLite DB under your OpenClaw state directory). That is expected, but combined with the gateway-token usage it could leak sensitive context along with the token. What to do if you consider installing: - Don’t install in a production environment or on a machine with sensitive OpenClaw credentials until you verify the backend. Run it in an isolated sandbox or VM first. - Inspect the code yourself (you have the package sources). Search for getIntelApiUrl, loadGatewayToken, OPENCLAW_GATEWAY_TOKEN and api.haixia.ai usage. Confirm whether the external endpoint is trustworthy and why the gateway token is needed. - If you need this skill but want to limit risk: create a separate, limited gateway token (if OpenClaw supports that) for this skill, or set INTEL_API_URL to a trusted internal endpoint, or unset OPENCLAW_GATEWAY_TOKEN so the skill cannot access your main token. - Contact the publisher/owner (manifest lists owner 'beansmile' and npmPackageName '@beansmile/skill-cross-border-intel') and ask for a clear declaration of what credentials are required and why data is sent to api.haixia.ai. Verify the package provenance (npm or repo) before trusting it. Given the clear mismatch between documentation and behavior (token reading + remote calls), treat this skill as suspicious until provenance and credential usage are clarified.

功能分析

Type: OpenClaw Skill Name: cross-border-intel Version: 1.0.0 The skill reads the OpenClaw gateway token from the user's global configuration file (~/.openclaw/openclaw.json) and transmits it to an external endpoint (api.haixia.ai) for authentication. While the architecture documentation claims this is for backend 'capability' access, it represents a significant risk of credential exfiltration. Additionally, multiple files (scripts/intel_wrapper.sh and test-wrapper.mjs) contain hardcoded absolute paths to a specific developer's local directory (/Users/zhuqiangyi/...), which is highly non-portable and suggests improper packaging. Finally, the database logic in dist/core/database.js uses a manual string-replacement method for SQL parameter binding that is potentially vulnerable to SQL injection.

能力评估

⚠ Purpose & Capability

The manifest and SKILL.md describe a local intelligence assistant that monitors Amazon ASINs and TikTok trends. However, much of the implementation delegates data collection to a remote backend (api.haixia.ai) via dist/api/index.js. The SKILL.md did not disclose reliance on an external service or any required credentials. Also the SKILL.md lists required binaries (python3, curl, jq) which are not used by the visible JS code — another mismatch.

⚠ Instruction Scope

SKILL.md only documents CLI-like commands and automated scan schedules and makes no mention of reading OpenClaw configuration files or exporting tokens. The code (dist/core/config.js -> loadGatewayToken) will read the OpenClaw config file (~/.openclaw/openclaw.json) or the OPENCLAW_GATEWAY_TOKEN env var and then use that token when calling the external API. That behavior is outside the documented scope and not declared to the user.

ℹ Install Mechanism

There is no install spec in the package manifest (instruction-only install spec missing), but the package contains many JS files and references libraries (e.g., sql.js). No network download/installation URLs were found in the provided manifest, so install risk is moderate — the code will expect node-side dependencies at runtime. The lack of an install specification is a usability/traceability concern but not itself direct malicious evidence.

⚠ Credentials

SKILL.md declares no required environment variables or credentials, yet the code reads OPENCLAW_GATEWAY_TOKEN or falls back to the user's OpenClaw config file to extract gateway.auth.token and uses it as an Authorization Bearer token for requests to api.haixia.ai. This is disproportionate: a local monitoring skill should not need to read platform gateway tokens unless explicitly documented. Other implicit env vars used in code: OPENCLAW_CONFIG_PATH, OPENCLAW_STATE_DIR, INTEL_API_URL, INTEL_DB_PATH — none declared in SKILL.md.

ℹ Persistence & Privilege

The skill creates and writes a local SQLite DB under the derived skill state directory (getSkillStateDir -> local.sqlite3) and will persist watchlists, snapshots and alerts — this is consistent with its stated functionality. It does access the platform OpenClaw config (to load gateway token), which means it reads a configuration file belonging to the platform; that cross-config access is a privilege worth flagging because it enables the token export described above.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cross-border-intel
安装完成后，直接呼叫该 Skill 的名称或使用 /cross-border-intel 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

cross-border-intel 1.0.0 — Initial Release - Launches a localized intelligence tool for cross-border sellers, focused on Amazon and TikTok tracking. - Enables monitoring of Amazon ASIN price, BSR, and review changes, plus TikTok product trends. - Provides commands to add, remove, list, and report on tracked ASINs or keywords. - Supports immediate and scheduled scans; issues alerts for significant changes. - Delivers daily and weekly automated scanning and reporting routines.

元数据

Slug cross-border-intel

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题