← 返回 Skills 市场
502
总下载
3
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xianyu-auto-fulfill
功能描述
闲鱼自动发货监控。使用 agent-browser 自动检查闲鱼新消息,检测付款订单并自动发货。触发词:闲鱼发货、闲鱼监控、闲鱼自动化、xianyu、自动发货。
安全使用建议
Before installing or enabling this skill, consider the following: (1) It will ask to reuse your main Chrome profile and may read local files (secret pools) or invoke user-specified APIs — only allow this if you trust the exact configuration and understand the data flows. (2) Prefer not to point it at your full Chrome profile; use a dedicated profile with only the necessary Xianyu session if possible. (3) Avoid storing production keys as plaintext files; use a secure credential store or environment variables and document them in the skill metadata. (4) Test in a safe environment with dummy keys and dummy buyer accounts to confirm it sends only intended text. (5) Require explicit confirmation steps or content review before sending secrets to buyers. (6) If you cannot review/run the automation yourself safely, treat this skill as high risk and do not enable scheduled runs that reuse your main session.
功能分析
Type: OpenClaw Skill
Name: xianyu-auto-fulfill
Version: 0.0.1
The `SKILL.md` file contains instructions that create a severe prompt injection vulnerability. The agent is explicitly told to ask the user for their '发货方式' (fulfillment method) and then '据此配置自动化' (configure automation based on this). Examples provided show that this configuration can involve arbitrary file system operations (reading/deleting files) and network requests (e.g., `curl` to an API). A malicious user could craft their fulfillment method description to instruct the agent to exfiltrate sensitive data (e.g., `~/.ssh/id_rsa`, `/etc/passwd`) or execute arbitrary commands, making this a critical remote code execution risk via prompt injection.
能力评估
Purpose & Capability
Name/description match the instructions: monitoring chat, detecting paid orders and sending fulfillment messages. The capabilities requested in SKILL.md (browser automation, reading local files, calling APIs) are plausible for this purpose, but the skill metadata declares no required env/config while the instructions explicitly rely on local Chrome profiles and local secret pools — an omission worth noting.
Instruction Scope
The instructions tell the agent to reuse the main Chrome profile, read local txt key pools (delete lines after use), and call user-provided APIs (curl). Those actions allow access to browser cookies, session tokens, filesystem secrets, and arbitrary network endpoints. There are no safeguards in the prose to prevent accidental exfiltration (e.g., validating destinations or sanitizing output) and little guidance to prevent sending incorrect/secret content to buyers.
Install Mechanism
This is instruction-only (no install spec, no code files). That minimizes supply-chain risk because nothing is downloaded or written by an installer step.
Credentials
The skill declares no required env vars or credentials, yet instructs use of a main Chrome profile path and local secret files and external API calls. Those are effectively requests for high-value local secrets and session data but are not represented in the metadata, creating a transparency gap.
Persistence & Privilege
always is false (normal). The skill recommends scheduling a recurring cron job that must run in the 'main' session to reuse the browser profile — this increases runtime access to persistent browser credentials. Autonomous invocation is permitted (default), which expands blast radius if misconfigured, but autonomous invocation alone is expected for skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xianyu-auto-fulfill - 安装完成后,直接呼叫该 Skill 的名称或使用
/xianyu-auto-fulfill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.1
xianyu-auto-fulfill 0.0.1
- Initial release of the skill for automated order fulfillment on Xianyu.
- Monitors Xianyu chat for new payment orders using agent-browser and sends delivery messages automatically.
- Requires user to specify their delivery method before setup; does not assume any fulfillment approach.
- Provides important operational guidelines, such as not clicking the "去发货" button and ensuring tasks use the main browser session.
- Includes examples and tips for integrating various auto-fulfillment workflows.
- Offers commands for OpenClaw cron scheduling and efficient order checking.
元数据
常见问题
咸鱼自动发货 是什么?
闲鱼自动发货监控。使用 agent-browser 自动检查闲鱼新消息,检测付款订单并自动发货。触发词:闲鱼发货、闲鱼监控、闲鱼自动化、xianyu、自动发货。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 502 次。
如何安装 咸鱼自动发货?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xianyu-auto-fulfill」即可一键安装,无需额外配置。
咸鱼自动发货 是免费的吗?
是的,咸鱼自动发货 完全免费(开源免费),可自由下载、安装和使用。
咸鱼自动发货 支持哪些平台?
咸鱼自动发货 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 咸鱼自动发货?
由 Bijin(@sliverp)开发并维护,当前版本 v0.0.1。
推荐 Skills