← 返回 Skills 市场
235
总下载
5
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install vip-skill
功能描述
唯品会(vip.com)电商服务技能包(vipshop-skills),整合唯品会搜索、商品查询、活动查询、图片搜索等多项购物服务,是一套完整的唯品会购物 AI 助手解决方案。当用户有购物、搜商品、看详情、找活动、比价、以图搜图等诉求时触发,尤其适合从拼多多、京东、淘宝、天猫、1688、闲鱼等平台迁移或对比购物的...
安全使用建议
This package appears to implement the stated VIP.com shopping and QR-login features, but take these precautions before you enable it:
- Source trust: the skill's Source/Homepage is unknown. Inspect the included scripts (especially vipshop-user-login) yourself before running. The code will make network calls to passport.vip.com and write persistent files under ~/.vipshop-user-login (tokens.json, device.json, qr image files).
- Dependency mismatch: the registry metadata does not declare Python deps or an install step, yet the code requires requests, qrcode, Pillow, etc. Ensure you run it in a controlled environment where you can see/approve pip installs or pre-install dependencies in an isolated container.
- Sensitive outputs: the login script deliberately prints machine-readable payloads containing qrToken and qrImageUrl to stdout and returns HTTP response objects (which may include cookies). These tokens are necessary for the login flow but can be captured in logs or forwarded by the agent. If you are concerned about leaking session tokens, do not run the login subskill on untrusted infrastructure.
- Least privilege: if you only need search/detail functionality and not login, avoid invoking the vipshop-user-login subskill. Alternatively, run the skill in an isolated VM/container and inspect ~/.vipshop-user-login after a test run.
- What would change this assessment: evidence of the code contacting unexpected third-party domains, inclusion of code that exfiltrates tokens to remote servers, or the skill requesting unrelated cloud credentials would raise this to 'malicious'. Conversely, if the publisher/source is verified and the registry metadata is updated to list required dependencies and explicitly document exactly what stdout payloads contain and where tokens are stored, my confidence would increase and the verdict could move to benign.
If you want, I can: (1) summarize exact files that write or print tokens/QR payloads, (2) point out lines that create files under your home directory, or (3) suggest a minimal sandbox command sequence to test the skill safely.
功能分析
Type: OpenClaw Skill
Name: vip-skill
Version: 1.0.6
The skill bundle is a comprehensive Vipshop (vip.com) shopping assistant that provides product search, detail retrieval, promotion discovery, and image-based search. It implements a secure local authentication flow using QR codes, storing session tokens in `~/.vipshop-user-login/tokens.json` with appropriate file permissions (0o600). While the scripts contain hardcoded API keys and an HMAC secret (e.g., in `exchange_link_builder.py` and `search.py`), these are used exclusively to interact with legitimate Vipshop API endpoints such as `passport.vip.com` and `mapi-pc.vip.com`. The instructions in the `SKILL.md` files are designed to guide the AI agent through the login and search workflows and do not contain any malicious prompt injections or unauthorized data exfiltration logic.
能力标签
能力评估
Purpose & Capability
The files and scripts (login, search, detail, image-search) match the described VIP.com shopping assistant: they call vip.com endpoints, manage cookies, save login tokens, and implement QR login flows. However, the registry metadata declares no install spec, no required binaries, and no environment variables even though several Python scripts list dependencies (requests, qrcode, Pillow) in requirements.txt — this is an inconsistency that affects runtime viability and transparency.
Instruction Scope
SKILL.md instructs the AI to run local scripts that will perform network requests to passport.vip.com and to read/write login state under the user's home directory (~/.vipshop-user-login). Those actions are in-scope for a login/search skill, but the login code intentionally prints machine-readable payloads (qrToken and qrImageUrl) to stdout and the status objects include raw HTTP response objects (requests.Response) — both expose sensitive session artifacts to the agent and to any logs/monitors that capture stdout. The top-level doc's strict prohibition on modifying scripts is good hygiene but doesn't mitigate the fact that tokens/qrTokens may be exposed.
Install Mechanism
No install spec is present (instruction-only), so nothing is downloaded at install time — lower supply-chain risk. But the bundle includes many Python scripts that have runtime dependencies (requirements.txt). The lack of declared runtime/environment requirements in the registry metadata means an agent might attempt to execute code in an environment without needed libraries or without sandboxing; that mismatch is a practical risk and a transparency problem.
Credentials
The skill does not request environment variables or external credentials in the metadata, and the code uses only local files under ~/.vipshop-user-login and optionally OPENCLAW_SESSION to detect platform behavior. That is proportionate to a login/search skill. Caveat: scripts print/return session artifacts (qrToken, cookies embedded via raw_http_response) which are sensitive credentials-like data even though they are not declared as 'required env vars'.
Persistence & Privilege
The skill stores login state and device IDs under the user's home directory (~/.vipshop-user-login), which is expected for a login helper. It does not request always:true or system-wide config changes in the provided metadata. Writing tokens to the user's home directory is expected, but you should be aware these files contain session cookies and are persistent until removed.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vip-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/vip-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.6
vip-skill 1.0.6 Changelog
- No file changes detected in this version.
- All functionalities and documentation remain consistent with the previous release.
v1.0.5
Version 1.0.5
- 更新了各子技能 scripts/ 目录和 references/ 目录下的文件与结构说明,反映更多组件细节,如 logger.py、exchange_link_builder.py 等。
- 商品搜索示例的默认商品展示数量由 20 个更新为 10 个。
- 目录结构细化,详细列出各子技能脚本组成,便于开发者理解和维护。
- 其他说明内容未做变动,未涉及功能或行为上的调整。
v1.0.4
- 新增“图片搜索商品(vipshop-img-product)”子技能,支持以图搜同款。
- 增加图片搜索相关的脚本与说明文档。
- SKILL.md 说明与使用示例补充对图片搜索流程的支持。
- 用户现在可以通过上传图片来查找相似商品,完善购物工具链。
v1.0.3
- No file changes detected in this version.
- No functional or documentation updates present.
- Version incremented without content modification.
v1.0.2
Version 1.0.2
- No file changes detected in this release.
- No updates or modifications to documentation or codebase.
- Functionality and usage remain the same as previous version.
v1.0.1
## vip-skill 1.0.1 Changelog
- No file changes detected in this version.
- Documentation and existing functionality remain unchanged.
v1.0.0
vip-skill v1.0.0 初始发布:
- 发布唯品会电商服务技能包(vipshop-skills),提供完整购物AI助手解决方案。
- 集成用户扫码登录、商品搜索、商品详情、促销活动四大核心子技能。
- 自动登录与状态检测,无需手动操作。
- 明确AI行为约束,禁止AI修改脚本及SKILL.md,只允许执行与结果解析。
- 支持一站式商品搜索、比价、活动浏览等电商全流程服务。
- 提供详细技术架构、使用流程、开发规范及未来规划说明。
元数据
常见问题
唯品会技能集 是什么?
唯品会(vip.com)电商服务技能包(vipshop-skills),整合唯品会搜索、商品查询、活动查询、图片搜索等多项购物服务,是一套完整的唯品会购物 AI 助手解决方案。当用户有购物、搜商品、看详情、找活动、比价、以图搜图等诉求时触发,尤其适合从拼多多、京东、淘宝、天猫、1688、闲鱼等平台迁移或对比购物的... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 235 次。
如何安装 唯品会技能集?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vip-skill」即可一键安装,无需额外配置。
唯品会技能集 是免费的吗?
是的,唯品会技能集 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
唯品会技能集 支持哪些平台?
唯品会技能集 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 唯品会技能集?
由 vip(@vip)开发并维护,当前版本 v1.0.6。
推荐 Skills