← 返回 Skills 市场
76
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install seap-shopping
功能描述
用户在场/不在场购买skill
安全使用建议
This skill reads and writes local session files and documents a workflow that would require payment tokens, cron scheduling, and cloud APIs — yet the shipped JS is a local mock that does not perform networked payments or scheduling. Before installing or supplying any real payment credentials: (1) treat this as a demo/placebo implementation until the author provides real API integrations; (2) do not store real payment tokens in seap.config.json in plaintext; (3) review/modify the scripts to implement secure API calls, encrypted credential storage, and proper cron integration or run it in an isolated/test environment; (4) if you expect automatic scheduled purchases, require the author to demonstrate secure handling of tokens, network endpoints, and error handling. If you cannot verify those, avoid providing real secrets or using the skill for real purchases.
功能分析
Type: OpenClaw Skill
Name: seap-shopping
Version: 1.0.0
The skill exhibits a shell injection vulnerability in SKILL.md, where user-provided input (queryGoodsIntention) is passed directly into a shell command (node scripts seap-cli search ... --intent=${queryGoodsIntention}) without sanitization. While the accompanying scripts/seap-cli.js contains only benign mock logic for searching and purchasing goods, the instruction pattern in SKILL.md creates a high-risk surface for remote code execution (RCE) if the OpenClaw agent executes the command as written. No evidence of intentional malice, data exfiltration, or persistence was found.
能力评估
Purpose & Capability
SKILL.md and README describe real-world shopping: cloud authCode/secretToken, payment (aipay), and OpenClaw cron scheduling. The included scripts implement only local mock search/purchase logic (mockGoodsData, mockBuyResponse) and do not call any external APIs, do not read seap.config.json, and do not integrate with a cron service or payment gateway. The declared purpose (real purchases) does not match the actual capability (demo/mock local behavior).
Instruction Scope
The runtime instructions tell the agent to run node commands, read/write `${sessionId}.json` and `${sessionId}_state.json`, use a secretToken for deferred payments, and create cron tasks. The CLI writes sessionId.json results but does not implement cron creation or payment token usage. The SKILL.md also inconsistently references command names (e.g., 'node scripts seap-cli' vs the actual file seap-cli.js) and describes state files that are not fully managed by the code. Instructions thus promise actions (networked payments, scheduling) that the code does not perform.
Install Mechanism
No install spec is provided (instruction-only + included JS file). Nothing is downloaded or extracted from external URLs; risk from install mechanism is low. The skill does write/read files in the skill working directory at runtime (session JSON files).
Credentials
No environment variables or external credentials are required by the package metadata. However, SKILL.md and seap.config.json instruct the user to store sensitive values (authCode, secretToken, address) in a local seap.config.json file. Those tokens are not used by the included CLI, which is inconsistent — storing payment tokens in plaintext config files is a potential security risk and should be avoided unless you verify the code and storage protections.
Persistence & Privilege
always is false; the skill is user-invocable and may be invoked autonomously (platform default). The skill writes per-session files (e.g., `${sessionId}.json`) in the skill directory at runtime but does not modify other skills or system-wide settings. No elevated persistence requests are present.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install seap-shopping - 安装完成后,直接呼叫该 Skill 的名称或使用
/seap-shopping触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
SEAP Shopping Skill v1.0.0 – Initial Release
- Supports both in-person and scheduled (not-in-person) product purchases via dialog triggers.
- Automatically activates when the user's message contains the keyword "买".
- Integrates with seap-cli tools for searching products and handling payment.
- Provides a workflow for users to select items by number and confirm purchases.
- Enables scheduled purchase tasks by parsing time expressions and setting up cron jobs.
- Maintains session state, purchase mode, and scheduling info for each user session.
元数据
常见问题
服务分发购物SKILL 是什么?
用户在场/不在场购买skill. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 76 次。
如何安装 服务分发购物SKILL?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install seap-shopping」即可一键安装,无需额外配置。
服务分发购物SKILL 是免费的吗?
是的,服务分发购物SKILL 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
服务分发购物SKILL 支持哪些平台?
服务分发购物SKILL 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 服务分发购物SKILL?
由 as(@pingjiang)开发并维护,当前版本 v1.0.0。
推荐 Skills