weizhao-vip-search

在唯品会(VIP.com)搜索商品，引导用户登录并调用搜索API获取关键字商品。

This skill does what it says (search VIP.com) but asks you to copy and paste a full logged-in browser Cookie — which is effectively a secret that can grant access to your account. Before installing or using it: - Do NOT paste your full session cookie into chat. Prefer running the included script locally on your own machine and passing the cookie only on your machine (and preferably by a safer method than a command-line argument, e.g., read from stdin or a temp file with restricted permissions). - Inspect the included script (scripts/search_vip.py) yourself — it currently only contacts VIP.com, but any code can be changed to exfiltrate cookies elsewhere. Only run the exact source you reviewed. - Use a throwaway/ephemeral login session if possible, or create a temporary account/session that you can revoke afterwards. After use, log out and/or invalidate the session from your account settings. - Note the example command uses a hardcoded local path — ensure you run the script from the repository path (or adjust the path) rather than copying the example verbatim. - Prefer safer alternatives: use public search pages that don't require login, or an official API/OAuth flow if VIP.com provides one. If you are not comfortable handling session cookies or cannot ensure you’ll run the reviewed script locally, do not provide your cookie to this skill.

Type: OpenClaw Skill Name: weizhao-vip-search Version: 1.0.0 The skill explicitly instructs users to manually extract and provide their session 'Cookie' from a logged-in browser session to the agent, which is a high-risk pattern for credential handling. While the script 'scripts/search_vip.py' appears to only use the cookie to query the legitimate 'vip.com' domain, the solicitation of raw session tokens via prompt instructions is a significant security risk that could be leveraged for account takeover or lead to accidental credential exposure.