← 返回 Skills 市场
285
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install shopping-in-se
功能描述
Assist with searching, adding to cart, and securely purchasing products from trusted Swedish e-commerce sites using the Zupyak Mynt Card.
安全使用建议
Key things to consider before installing or enabling this skill:
- The skill's runtime explicitly reads sensitive files from your home directory (~/Private/用户个人信息.txt and files containing the 'Zupyak Mynt Card'). The registry metadata does NOT declare these config paths — ask the author to declare them and explain why those exact files are required.
- The skill uses the local CDP endpoint (ws/http on 127.0.0.1:18800) to control iframes and inject mouse/key events. CDP access can interact with any open browser target and potentially see other pages/tabs. Only allow this skill if you trust its source and you are comfortable with that level of local browser control.
- There are hard-coded example card details in the reference files. Confirm these are dummy/test values; never store real card numbers in plaintext files in your home directory. Consider using ephemeral/virtual card numbers (bank-provided one-time cards) instead of a persistent file.
- If you want to proceed, require these mitigations: (1) insist the skill author update metadata to list required config paths and any other secrets; (2) require explicit, per-order user confirmation (the SKILL.md already says so — verify the agent enforces it); (3) avoid storing real cards in cleartext and prefer short-lived tokens; (4) run the skill in a restricted/test environment first and monitor network/DevTools activity; (5) prefer manual checkout for high-value purchases.
If you cannot get the author to declare and justify the local-file access and to remove hard-coded sensitive values, treat the skill as untrusted and do not enable it with access to your real payment/recipient files.
功能分析
Type: OpenClaw Skill
Name: shopping-in-se
Version: 1.0.0
The skill facilitates automated online shopping by instructing the agent to read sensitive PII and credit card details from local files (~/Private/) and use the Chrome DevTools Protocol (CDP) to bypass iframe security boundaries. The provided Python code in 'references/cdp-click.md' uses low-level socket communication to interact with the browser's CDP interface (localhost:18800), allowing it to programmatically enter card data and trigger clicks inside cross-origin payment iframes (Klarna/Stripe). While the skill includes safety instructions like user confirmation and a 'trusted sites' list, the combination of local secret access and the ability to bypass browser security controls for financial transactions represents a high-risk capability.
能力评估
Purpose & Capability
The name/description (shopping in Sweden using a designated card) matches the runtime behavior (search, add to cart, checkout, handle payment iframes). However the skill metadata declares no required config paths or credentials while the runtime instructions explicitly require reading sensitive local files (~/Private/用户个人信息.txt and two payment-card files). That metadata/instruction mismatch is an incoherence and should be corrected/justified.
Instruction Scope
SKILL.md instructs the agent to read personal recipient data and payment card details from specific local filesystem paths and to connect to the platform's local CDP endpoint (127.0.0.1:18800) to operate inside cross-origin payment iframes. Reading and submitting private files to external shopping sites is within the stated shopping purpose, but referencing hard-coded local paths (including a Chinese-named file) and using the CDP to control any browser target increases the blast radius and should be explicitly authorized by the user.
Install Mechanism
This is an instruction-only skill with no install spec and no code files executed by the registry installer, which reduces supply-chain risk. The runtime instructions themselves include Python snippets that the agent would run; that is expected for this kind of skill.
Credentials
The registry declares no required environment variables or config paths, but the instructions require direct access to sensitive local files containing recipient details and the Zupyak Mynt Card. That is disproportionate to the declared metadata and constitutes sensitive credential/file access that should be declared and minimized. The references include an explicit card number/example in the docs — presence of hard-coded card data is alarming and should be removed or marked clearly as a fake/test card.
Persistence & Privilege
always is false and the skill is user-invocable; it can be invoked autonomously (platform default). The skill needs direct access to the local CDP interface during a run, which allows controlling browser targets and could access other pages; this is powerful but not permanent. No evidence the skill modifies other skills or requests permanent presence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shopping-in-se - 安装完成后,直接呼叫该 Skill 的名称或使用
/shopping-in-se触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Swedish e-commerce shopping skill with Klarna/Stripe/Adyen payment support
元数据
常见问题
Shopping in Sweden 是什么?
Assist with searching, adding to cart, and securely purchasing products from trusted Swedish e-commerce sites using the Zupyak Mynt Card. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 285 次。
如何安装 Shopping in Sweden?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shopping-in-se」即可一键安装,无需额外配置。
Shopping in Sweden 是免费的吗?
是的,Shopping in Sweden 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Shopping in Sweden 支持哪些平台?
Shopping in Sweden 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Shopping in Sweden?
由 caoooqiii(@caoqi)开发并维护,当前版本 v1.0.0。
推荐 Skills