← 返回 Skills 市场

JD Price Protection 京东自动价保

Name: JD Price Protection 京东自动价保
Author: danielwangyy

作者 Danielwangyy · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

656

总下载

当前安装

版本数

在 OpenClaw 中安装

/install jd-price-protect

功能描述

Auto-apply JD.com (京东) price protection on all eligible orders. Connects to Chrome via OpenClaw Browser Relay CDP, navigates to JD price protection page, cli...

使用说明 (SKILL.md)

JD Price Protection

Auto-apply price protection (价格保护) on all eligible JD.com orders via Chrome Browser Relay.

Prerequisites

Chrome with OpenClaw Browser Relay extension installed and connected (badge ON)
User must be logged into JD.com in Chrome
OpenClaw gateway running

Usage

Run the script:

node \x3Cskill-dir>/scripts/price-protect.js

The script will:

Connect to Chrome via OpenClaw's CDP relay (auto-derives relay token from gateway config)
Navigate to https://pcsitepp-fm.jd.com/ if needed
Click every "申请价保" button on the page
Reload and collect results (successes with refund amounts, failures with reasons)
Output JSON results

Interpreting Results

{
  "total": 11,
  "clicked": 11,
  "success": [{"name": "ANKER 140W充电线...", "amount": "6.00"}],
  "failed": [{"name": "KAMAN收纳盒...", "reason": "无差价"}]
}

Only notify user if success array is non-empty (refunds obtained)
If all items show "无差价", update state silently

Scheduled Usage

Set up a cron job to run every ~8 hours. Example agent prompt:

Run node \x3Cskill-dir>/scripts/price-protect.js. If Chrome relay is disconnected (error), skip silently. If refunds found, notify user. Otherwise update checkedAt silently.

Troubleshooting

"No browser page available": Chrome relay disconnected. User must click Browser Relay toolbar icon.
"No gateway token found": Set GATEWAY_TOKEN env var or ensure ~/.openclaw/openclaw.json has gateway.auth.token.
Timeout on clicks: A popup may be blocking. Script presses Escape after each click to dismiss.

How It Works

Derives the relay auth token via HMAC-SHA256(gatewayToken, "openclaw-extension-relay-v1:\x3Cport>"), connects Playwright to Chrome's CDP websocket, then uses getByText('申请价保', {exact: true}).click() to trigger each button.

安全使用建议

This skill appears to implement exactly what it claims (automatically apply price-protection requests in your JD account) and doesn't contact unexpected remote servers, but take these precautions before installing or running it: - Code review: inspect scripts/price-protect.js yourself (it's included) or have someone you trust review it before running. - Gateway token: the script reads your OpenClaw gateway token from ~/.openclaw/openclaw.json or GATEWAY_TOKEN. That token lets the script control your browser via the relay; do not provide it to untrusted skills or services. - Dependencies: the SKILL.md omits runtime deps — install Node and playwright-core (or ensure your environment already provides it) before running. - Test manually first: run the script manually while watching the browser to ensure it clicks only expected elements and behaves correctly; do not enable as an unattended cron job until satisfied. - Run in a contained profile: consider using a separate Chrome profile where only the needed JD account is logged in to limit side effects. - Scheduled behavior: be aware the script may exit with an error if the gateway/relay is disconnected (contrary to the 'skip silently' phrasing in the doc); wrap cron invocation to handle non-zero exit codes if you want silent behavior. If you are not comfortable with code that can drive your logged-in browser, do not install or run this skill. If you proceed, keep your gateway token secret and run the script in a controlled environment first.

功能分析

Type: OpenClaw Skill Name: jd-price-protect Version: 1.0.0 The skill is classified as suspicious due to the presence of risky capabilities, even though their immediate intent appears benign and aligned with the stated purpose. The `scripts/price-protect.js` file accesses the local file system to read `~/.openclaw/openclaw.json` to obtain the OpenClaw gateway token, and then uses this token to establish a local network connection (`ws://127.0.0.1:<port>/cdp`) for browser automation. While these actions are plausibly needed for the skill's functionality, they represent file system and network access capabilities that could be exploited if the skill's intent were malicious. Additionally, the `SKILL.md` file contains instructions for the AI agent (e.g., 'skip silently', 'update state silently'), which, while used here for benign output control, demonstrate the agent's susceptibility to prompt injection, a general vulnerability.

能力评估

✓ Purpose & Capability

The skill claims to drive JD.com pages via the OpenClaw Browser Relay and the included script does exactly that: derives a relay token, connects to a local CDP websocket, finds/navigates to the JD price-protection page, clicks '申请价保' buttons, and collects results. Required accesses (gateway token or ~/.openclaw/openclaw.json) are coherent with the stated purpose.

ℹ Instruction Scope

SKILL.md and the script are aligned on the core workflow. Minor inconsistencies: SKILL.md suggests scheduled runs should 'skip silently' when the Chrome relay is disconnected, but the script throws errors like 'No gateway token found' or 'No browser page available' and exits non-zero—so scheduled behavior may not be as silent as described. The script reads only the gateway token from ~/.openclaw/openclaw.json (or GATEWAY_TOKEN) and otherwise operates only through the browser; it does not call external network endpoints from Node itself.

ℹ Install Mechanism

There is no install spec (instruction-only), which reduces surface risk. However the script requires Node and the 'playwright-core' module; neither Node nor dependency installation is documented in SKILL.md. The script tries to require 'playwright-core' (including a fallback path), so users must ensure playwright-core is installed in their environment before running.

✓ Credentials

The script needs only the OpenClaw gateway token (from GATEWAY_TOKEN env var or ~/.openclaw/openclaw.json) to derive the relay token — this is proportional because the relay token is what authorizes CDP access to the user's browser. No other credentials or unrelated secrets are requested.

ℹ Persistence & Privilege

The skill does not request persistent 'always' inclusion or modify other skills/config. However it exercises a high-impact capability at runtime: it controls the user's browser (pages and clicks) while the user is logged in to JD. That privilege is expected for this task but is powerful — the script will act with the authority of the logged-in session, so the user should only run it for trusted code and contexts.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install jd-price-protect
安装完成后，直接呼叫该 Skill 的名称或使用 /jd-price-protect 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: auto-click all price protection buttons on JD.com, supports pagination and cron scheduling.

元数据

Slug jd-price-protect

版本 1.0.0

许可证 —

累计安装 4

当前安装数 4

历史版本数 1

常见问题