← 返回 Skills 市场
195
总下载
2
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install vipshop-product-detail
功能描述
唯品会(vip.com)商品详情查询技能。当用户想查看某件商品的详细信息时触发,包括但不限于:看商品详情、查规格尺码、 看商品图片、查活动优惠、看用户评价、问商品是否打折、确认库存、查品牌介绍等。 支持通过商品ID或商品链接查询,返回完整商品信息:价格、原价、折扣、优惠活动、商品图片、 买家评价、品牌信息等结构化...
安全使用建议
Summary of what to consider before installing:
- This skill needs and will read your local login file (~/.vipshop-user-login/tokens.json) to extract cookies (PASSPORT_ACCESS_TOKEN) and uses them to call VIP.com APIs and to generate automatic-login links. That file contains sensitive session tokens — only install if you trust the skill and environment.
- SKILL.md mandates automatic installation and invocation of a separate vipshop-user-login skill (runs `clawhub install` and executes the login script) if not present. If you prefer to approve installations manually, disable or review that behavior before enabling the skill.
- The exchange_link_builder contains a hard-coded secret used to HMAC-sign a payload that includes your token and timestamp, producing an exchangeTokenFromApp URL. Review why that secret is present and whether it should be in client code; a signed auto-login URL containing your token can be used to impersonate your session if leaked. Do not share generated exchange links publicly.
- Practical checks to do before use: inspect the vipshop-user-login skill source (the skill this one will auto-install) and confirm it behaves as expected; inspect ~/.vipshop-user-login/tokens.json contents and remove any tokens you don't want code to access; run the skill in an isolated environment if possible; and disable automatic installation/invocation if your policy forbids automatic modification of the agent environment.
- If you want lower risk: require manual consent before installing/invoking vipshop-user-login, or remove/replace the exchange_link_builder's hard-coded secret and audit how exchange links are generated and used.
If you want, I can list the exact files and code locations that read the token, build the exchange link, and perform auto-install so you can review them line-by-line.
功能分析
Type: OpenClaw Skill
Name: vipshop-product-detail
Version: 1.0.7
The skill exhibits high-risk behavior by reading sensitive authentication tokens from `~/.vipshop-user-login/tokens.json` and embedding them into Base64-encoded 'exchange' URLs in `scripts/exchange_link_builder.py`, which could lead to credential exposure if the URLs are logged or shared. Additionally, `SKILL.md` and `README.md` contain instructions for the AI to automatically install and execute external skills (`vipshop-user-login`) using `clawhub install` and `python3` without explicit user confirmation, which is a high-privilege action. While these behaviors are aligned with the stated purpose of Vipshop integration, the handling of credentials and the automated execution of external code meet the threshold for a suspicious classification.
能力标签
能力评估
Purpose & Capability
The name/description (fetch product details, produce auto-login links) matches the included scripts: detail.py calls VIP APIs, mars_cid_generator manages a device id, and exchange_link_builder builds exchangeTokenFromApp links. The only surprising element is a hard-coded secret key inside exchange_link_builder used to HMAC-sign token payloads — while that is consistent with generating signed auto-login links, embedding such a secret in client code is unusual and worth scrutiny.
Instruction Scope
SKILL.md requires the agent to automatically check ~/.vipshop-user-login/tokens.json, and if not present to install (clawhub install vipshop-user-login) and autonomously invoke the vipshop-user-login skill (or call its vip_login.py) in blocking mode — without waiting for user permission. The instructions also mandate reading the local tokens.json and using PASSPORT_ACCESS_TOKEN and mars_cid. Automatic installation and invocation of another skill and forced background login flows extend the agent's scope beyond just fetching product data and could be unexpected to users.
Install Mechanism
There is no install spec and all code is bundled with the skill (instruction-only install). That reduces supply-chain risk. However, SKILL.md tells the agent to run a system-level installer (clawhub install) if another skill is missing — which means the skill's runtime behavior depends on executing external tooling and modifying the agent environment at runtime. This dynamic install instruction is a behavioural risk to consider.
Credentials
The skill reads ~/.vipshop-user-login/tokens.json to extract cookies (including PASSPORT_ACCESS_TOKEN) and uses those to call VIP APIs and to build an exchange/login link. Accessing a user's session cookie is sensitive but expected for creating auto-login links. The hard-coded secret used to sign the exchange token is notable: if that secret is not legitimately part of the official client-side algorithm, its presence is unexpected. No unrelated environment variables are requested.
Persistence & Privilege
The skill creates/reads files under ~/.vipshop-user-login (mars_cid device.json and tokens.json) for deviceid/login state — appropriate for persistent login management. It does not request always:true and does not modify other skills' configs in the repository. The concerning behavior is autonomous installation/invocation of vipshop-user-login (modifying installed skills) without explicit user consent per the SKILL.md.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vipshop-product-detail - 安装完成后,直接呼叫该 Skill 的名称或使用
/vipshop-product-detail触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.7
No file changes detected for version 1.0.7.
- No updates or modifications were made in this release.
v1.0.6
- No code or logic changes; SKILL.md documentation unchanged between versions.
- No new features, bug fixes, or behavioral updates in this release.
- Skill functionality remains the same as previous version.
v1.0.5
- 新增 logger.py 日志模块和 mars_cid_generator.py 脚本,用于完善日志记录与 mars_cid 生成逻辑。
- 其他现有功能和使用规范保持不变。
v1.0.4
- 新增 exchange_link_builder.py 脚本,增加自动登录商品详情页跳转链接功能
- 商品详情卡片中的商品链接支持两种格式:带 exchange token 的自动登录跳转链接和普通商品详情链接,AI 展示时可直接显示任意一种
- 输出格式规范部分,新增商品链接格式说明,帮助用户理解不同类型链接的来源和含义
- 其余 skill 说明和用法保持不变
v1.0.3
- No code or documentation changes detected in this version.
- Functionality, workflow, and usage instructions remain unchanged.
- This release does not introduce new features, bug fixes, or modifications.
v1.0.2
Version 1.0.2
- 明确要求AI查询前必须先加载 skill 规范(use_skill),禁止绕过 skill 规范或自定义行为。
- 在文档顶部新增“重要规范”提醒,强化标准流程遵循。
- 部分表述优化,更突出自动登录与标准格式输出的强制性。
- 其他内容、接口和功能未变。
v1.0.1
- 输出展示从“Markdown表格(2列)”优化为“卡片式分区”风格,提升可读性与美观性
- 商品详情展示分为图片、标题、价格、优惠、服务、正品、评价、链接等分区,并使用图标及代码块标签样式,内容更直观结构化
- 禁止大表格,所有展示采用卡片式分区,强调去重和内容简洁
- 未登录自动流程、登录判定等行为规范保持严格一致,无功能变动,仅更新输出格式与展示方式
- 依赖与脚本执行说明未变,仍需登录后才能查询商品详情
v1.0.0
- Initial release of the vipshop-product-detail skill for querying detailed product information from vip.com.
- Supports input via product ID or product link to fetch and present detailed information: price, original price, discount, promotional offers, product images, reviews, brand info, and more.
- Requires the user to be logged in via vipshop-user-login; auto-detects login status and automatically triggers login flow if not logged in.
- Strictly formats output as a two-column Markdown table, displaying fields only if present and in a prescribed order.
- Includes comprehensive rules for error handling, field omission, and user notification—minimizing manual steps for users.
元数据
常见问题
唯品会商品详情 是什么?
唯品会(vip.com)商品详情查询技能。当用户想查看某件商品的详细信息时触发,包括但不限于:看商品详情、查规格尺码、 看商品图片、查活动优惠、看用户评价、问商品是否打折、确认库存、查品牌介绍等。 支持通过商品ID或商品链接查询,返回完整商品信息:价格、原价、折扣、优惠活动、商品图片、 买家评价、品牌信息等结构化... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 195 次。
如何安装 唯品会商品详情?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vipshop-product-detail」即可一键安装,无需额外配置。
唯品会商品详情 是免费的吗?
是的,唯品会商品详情 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
唯品会商品详情 支持哪些平台?
唯品会商品详情 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 唯品会商品详情?
由 vip(@viphgta)开发并维护,当前版本 v1.0.7。
推荐 Skills