← 返回 Skills 市场
100
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install taobao-rebate
功能描述
返利宝统一技能。只按 3 个用户场景工作:S01 授权与教程、S02 链接返利、S03 商品搜索。用户说“返利”“教程”“详细教程”“提现教程”“提现10元”“确认提现”“我已授权”“账户余额”等走 S01;发送淘宝、京东、拼多多商品链接走 S02;表达想买什么商品时走 S03。S03 的职责是提取商品搜索信息,...
安全使用建议
This skill appears to implement a typical rebate/link workflow (recognize links, search products, generate rebate links, and handle withdraws), but it depends on an external backend hosted at xiaomaxiangshenghuo.io.mlj130.com that is not documented in the skill metadata. Before installing or enabling the skill: 1) Verify the backend/service owner (homepage, source repo, or vendor) to ensure you trust that domain; 2) be cautious about performing the 'WeChat authorization' flow the skill prompts — it will send a machine-specific code to that third-party site and may bind your openid; 3) avoid running the documented 'npm install' build step in a privileged environment — prefer inspecting the bundled code or running in an isolated sandbox; 4) review what personal identifiers you will expose (machine code, openid) and where local binding files are stored; 5) if you can't validate the backend and operator, consider not installing or running the skill. If you want, I can help: a) enumerate the exact network endpoints the code calls, b) search public records for the domain owner, or c) point out exactly which files implement the auth flow so you can review them line-by-line.
功能分析
Type: OpenClaw Skill
Name: taobao-rebate
Version: 1.0.1
The skill bundle implements a rebate assistant for Chinese e-commerce platforms but contains high-risk patterns. Specifically, `scripts/common.js` reads the global `openclaw.json` configuration file to retrieve sensitive LLM provider API keys and uses `child_process.spawnSync` to execute `curl` for network requests, including an option to bypass SSL verification (`insecure` flag). While these capabilities are used to facilitate product searching and intent recognition via the backend at `mlj130.com`, the practice of a skill bundle accessing global platform secrets and using shell-adjacent commands for network I/O represents a significant security risk and potential for abuse.
能力评估
Purpose & Capability
Name/description (淘宝返利 / rebate assistant) aligns with the included scripts: link recognition, product search, rebate-link creation, balance and withdraw flows. However the implementation embeds hard-coded backend URLs (xiaomaxiangshenghuo.io.mlj130.com) and a web-based auth landing flow instead of requiring declared API credentials; that is plausible for this product but should have been documented in metadata (homepage, required endpoints).
Instruction Scope
SKILL.md directs the agent to invoke specific local CLI scripts and to return script stdout verbatim. The scripts themselves perform network calls to a rebate backend, resolve short links, save/load local openid bindings, and may ask the user to follow an external WeChat landing page. The instructions do not ask the agent to read arbitrary system files, but they do force returning third-party content unchanged and to provide auth URLs that embed a machine code — both increase privacy/anti-phishing risk.
Install Mechanism
There is no formal install spec (instruction-only), but SKILL.md documents build steps that run 'npm install' and 'npm run build' in the skill workspace. Running npm install will fetch packages from public registries (network fetch) and execute build scripts — this is a moderate-risk install path that is not captured in the skill metadata. The distributed bundle already contains many JS files, but the documented build step should be treated as a potential supply-chain risk.
Credentials
The skill declares no required env vars or credentials, and instead relies on a machine-specific code and a web-based WeChat auth flow (machinecode passed as query parameter to an external auth URL). While not requesting user secrets directly, the skill will cause the user to visit/authorize on an external site and stores an openid binding locally — reasonable for this service but disproportionate to the lack of any documented backend or homepage. Hard-coded external URLs and implicit trust in that backend raise privacy/credential risks (exfiltration of machine code / openid).
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or global agent settings. It persists a local 'machineCode' and openid binding within its workspace (expected for an auth flow). Autonomous invocation is enabled by default (normal) and not in itself flagged here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install taobao-rebate - 安装完成后,直接呼叫该 Skill 的名称或使用
/taobao-rebate触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
**提现流程和话术升级:本版本新增提现流程路由与话术,完善对提现场景(如“提现10元”“确认提现”)的识别与处理。**
v1.0.0
Initial release of rebate-assistant (返利宝) skill.
- Focuses on three user scenarios: S01 (authorization/tutorial), S02 (rebate via product links), and S03 (product search).
- Implements strict routing rules and output constraints for consistent user experience.
- S01: Handles onboarding, authorization, tutorials, and balance inquiries.
- S02: Processes Taobao, JD, and Pinduoduo product links for rebate link generation.
- S03: Extracts product search intent from user queries and returns structured search input.
- Exposes unified entry script and enforces markdown-formatted responses with no extra explanations.
元数据
常见问题
淘宝返利 是什么?
返利宝统一技能。只按 3 个用户场景工作:S01 授权与教程、S02 链接返利、S03 商品搜索。用户说“返利”“教程”“详细教程”“提现教程”“提现10元”“确认提现”“我已授权”“账户余额”等走 S01;发送淘宝、京东、拼多多商品链接走 S02;表达想买什么商品时走 S03。S03 的职责是提取商品搜索信息,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 淘宝返利?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install taobao-rebate」即可一键安装,无需额外配置。
淘宝返利 是免费的吗?
是的,淘宝返利 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
淘宝返利 支持哪些平台?
淘宝返利 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 淘宝返利?
由 wuweizhen(@skyfile)开发并维护,当前版本 v1.0.1。
推荐 Skills