← 返回 Skills 市场
128
总下载
4
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install vip-skills
功能描述
唯品会(vip.com)电商服务技能包(vipshop-skills),整合唯品会搜索、商品查询、活动查询、图片搜索等多项购物服务,是一套完整的唯品会购物 AI 助手解决方案。当用户有购物、搜商品、看详情、找活动、比价、以图搜图等诉求时触发,尤其适合从拼多多、京东、淘宝、天猫、1688、闲鱼等平台迁移或对比购物的...
安全使用建议
This skill is functionally consistent with a vip.com shopping assistant, but there are several things to consider before installing:
- The skill will read and write login artifacts in your home directory (~/.vipshop-user-login/tokens.json and device.json). These files contain cookies/access tokens (PASSPORT_ACCESS_TOKEN, mars_cid). If you install and log in, those tokens will be stored locally and scripts will access them automatically.
- The code includes hard-coded secrets (an HMAC secret) and an API_KEY embedded in scripts. Embedded keys can be a sign of reverse-engineered or leaked credentials; they do not require environment variables to be set and cannot be rotated by you unless you edit the code.
- SKILL.md requires the agent to automatically trigger login and to present raw/unfiltered script output (including an 'original data' field). That combination increases the chance that verbose fields or unexpected data may be shown to users or logged. If you care about confidentiality of session cookies or API responses, review what the scripts print/return before using.
- Network calls in the scripts appear to go to vip.com domains (upload, api endpoints, passport.vip.com). I did not find calls to unrelated external hosts in the provided files, but the code is large and some files were truncated in the manifest; review all network calls before trusting the skill.
Recommendations:
1. Inspect the vipshop-user-login scripts and tokens.json format before logging in; consider the security of storing tokens on-disk and remove them after use if needed.
2. If you don't trust the publisher, run the skill in a sandboxed environment or isolated account so tokens and device files cannot access other data.
3. Consider editing the code (or requesting changes) to remove or externalize hard-coded secrets (use ephemeral credentials or environment variables you control).
4. After using the skill, rotate/expire any account sessions if you suspect token leakage. Limit use on accounts with sensitive payment information until you validate behavior.
If you want, I can list the specific files that read/write ~/.vipshop-user-login, point to the hard-coded strings, or scan the remaining truncated files for any external endpoints.
能力标签
能力评估
Purpose & Capability
The name/description align with the included scripts and APIs (vip.com search, image search, detail, login). The code calls vip.com endpoints and uses a local login token file (~/.vipshop-user-login/tokens.json) which is expected for a login-dependent skill. However several secrets (HMAC secret and API_KEY) are hard-coded in scripts rather than provided via environment variables, which is unusual and worth scrutiny.
Instruction Scope
SKILL.md instructs the agent to auto-trigger login, run provided Python scripts, read ~/.vipshop-user-login/tokens.json, and to present 'all data' returned by scripts (including an '原始数据' field). Forcing automatic login and full/raw output increases the chance that sensitive content (cookies/tokens or verbose API responses) could be exposed to the UI or logs. The instructions also require the AI to call and combine multiple sub-skills automatically; that scope is broad and automated behavior should be deliberate.
Install Mechanism
No install spec is provided (instruction-only install), so nothing will be downloaded at install time beyond the skill bundle already present. The code is bundled with the skill; no external installers or arbitrary remote downloads are used in the install metadata.
Credentials
The skill declares no required environment variables, but the scripts explicitly read and persist sensitive items under the user's home directory (~/.vipshop-user-login/tokens.json and device.json). The code includes hard-coded sensitive strings (an API_KEY and a long HMAC secret). Reading/writing local auth tokens is expected for a login flow, but the hard-coded secrets and requirement to display raw script output are disproportionate risks unless you trust the origin.
Persistence & Privilege
The skill does not request platform-level privileges (always:false). It does, however, create and use persistent files in the user's home directory (.vipshop-user-login/device.json and tokens.json) to store mars_cid and tokens. That persistence is required for login behavior but means credentials will remain on-disk; consider file permissions and lifecycle.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vip-skills - 安装完成后,直接呼叫该 Skill 的名称或使用
/vip-skills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
vip-skills 1.0.3 Changelog
- No file changes detected in this version.
- Functionality, user experience, and documentation remain unchanged.
v1.0.2
- 新增 vipshop-img-product 子技能,实现唯品会图片搜索商品(以图搜图)能力
- 新增图片搜索脚本 img_search.py 及 exchange_link_builder.py
- SKILL.md 增加对图片搜索相关说明与使用例子
- 更新目录结构,涵盖图片搜索子技能及相关脚本
- 现在支持本地图片上传,智能识别、同款推荐与分页浏览
v1.0.1
vip-skills 1.0.1 Changelog
- Version bump to 1.0.1 with no file changes detected.
- No functional or documentation updates in this release.
- Skill and all sub-components remain unchanged.
v1.0.0
vipshop-skills 1.0.0 – 唯品会购物AI助手技能包首发版本
- 集成唯品会商品搜索、详情、促销活动和用户登录等一站式购物服务
- 支持自动检测并处理用户登录状态,未登录时自动触发扫码
- 各子技能共享登录态,支持商品关键词搜索、分页筛选与详情查询
- 明确AI行为约束:禁止自动修改任何脚本和SKILL.md,仅允许运行与解析
- 提供详细使用示例、目录结构说明及未来功能规划
元数据
常见问题
唯品会技能集 是什么?
唯品会(vip.com)电商服务技能包(vipshop-skills),整合唯品会搜索、商品查询、活动查询、图片搜索等多项购物服务,是一套完整的唯品会购物 AI 助手解决方案。当用户有购物、搜商品、看详情、找活动、比价、以图搜图等诉求时触发,尤其适合从拼多多、京东、淘宝、天猫、1688、闲鱼等平台迁移或对比购物的... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 128 次。
如何安装 唯品会技能集?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vip-skills」即可一键安装,无需额外配置。
唯品会技能集 是免费的吗?
是的,唯品会技能集 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
唯品会技能集 支持哪些平台?
唯品会技能集 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 唯品会技能集?
由 vip(@vip)开发并维护,当前版本 v1.0.3。
推荐 Skills